Clarifications on Grafana Release/Support lifecycle

Grafana Releases
,
1

(Writing this on behalf of endoflife.date, where we track grafana at /grafana).

Prior discussions on this forum have confirmed a “2 major releases supported” policy. However, we noticed today that:

  • 9.3.0, and 9.2.7 were released, but 8.5.16 is still pending
  • 9.3 seems to be getting feature fixes, while 9.2 is only getting bug fixes.

Questions:

  1. Is v8 still supported?
  2. What kind of fixes are backported to prior major versions? Just security/critical bug-fixes/…?
  3. Is there a separate support cycle for minor releases now that 9.2 and 9.3 are being maintained differently? (In other words: Should we be showing 9.2 and 9.3 separately at endoflife.date/grafana).
  4. Can the support policy be documented somewhere please? We have a nice set of recommendations at https://endoflife.date/recommendations that might be helpful.
2

Prior discussions:

3

I checked recent security release
// Sorry I can not use several links because of my rank

Release 9.3.0, latest release with security patch:
Release 9.2.7, last 9.2 patch with security fix:

Stored XSS in Grafana Alerting (CVE-2022-31097)
Impacted versions
9.1.0-beta1 → 9.3.0-beta1

Timeline
2022-11-28 11:47 PRs submitted for fix with backports to 9.1 and 9.2

From : ttps://grafana.com/blog/2022/11/29/grafana-security-release-new-versions-with-high-severity-security-fix-for-cve-2022-31097/

Maybe 9.1.x is released soon ??
Since this vulnerability is a regression, 8.5.x will not be released.

Release 9.2.4, latest patch, also containing security fix:
Release 8.5.15, only containing security fix:

From : ttps://grafana.com/blog/2022/11/08/security-release-new-versions-of-grafana-with-critical-and-moderate-fixes-for-cve-2022-39328-cve-2022-39307-and-cve-2022-39306/

9.1.x seemed not released
Latest minor version of last 2 major versions are supported ??

Release 9.2, latest release with security fi
Release 9.1.8, only containing security fix
Release 8.5.14, only containing security fix

From :ttps://grafana.com/blog/2022/10/12/grafana-security-releases-new-versions-with-fixes-for-cve-2022-39229-cve-2022-39201-cve-2022-31130-cve-2022-31123/

(upstream 9.2 and) latest minor version of last 2 major versions are supported ??

We are also releasing security releases for Grafana 9.0.8, 8.5.11, 8.4.11 and 8.3.11

From : ttps://grafana.com/blog/2022/08/30/security-release-new-versions-of-grafana-and-grafana-image-renderer-with-a-high-severity-security-fix-for-cve-2022-31176/

Many backport relese …

I can’t understand backport support policy

4

Got an update on Slack. Re-posting here as the Slack needs a login:

  1. yes, we support the current minor (e.g. 9.3.x), the previous minor (e.g. 9.2.x) and the last minor of the previous major (e.g. 8.5.x)
  2. yes, mostly just security+critical bug fixes.
  3. current minor has full support, previous minor (e.g. 9.2.x) is similar to v8 in that it will only really receive security/critical fixes
  4. i’ve asked internally if we can get this published as i agree it’s valuable :slightly_smiling_face:

@ashleyharrison

Slack Ref: Slack.

Slack Signup: https://slack.grafana.com/

5

For the record: release policy - Grafana releases: New 2023 release schedule | Grafana Labs

6

Included the new release schedule in our page: Grafana | endoflife.date (Preview, PR is here).

But this only covers the release schedule, not the support policy - would be nice to have a stable page that covers both. A blog is not ideal, since blogs can get outdated (Kinda what happened with Grafana, where old forum posts referencing the old support policy were outdated).

7

Hi can I check is there official documentation or page which tell us about the support policy for Grafana OSS version? as my understanding is that only grafana enterprise have such policy of version n-1 will be supported, is that apply same to grafana OSS?

8

From my understanding (of documenting and writing up Grafana | endoflife.date), the support policy applies to Grafana OSS.