Clarifications on Grafana Release/Support lifecycle

captn3m0 · November 30, 2022, 10:40am

(Writing this on behalf of endoflife.date, where we track grafana at /grafana).

Prior discussions on this forum have confirmed a “2 major releases supported” policy. However, we noticed today that:

9.3.0, and 9.2.7 were released, but 8.5.16 is still pending
9.3 seems to be getting feature fixes, while 9.2 is only getting bug fixes.

Questions:

Is v8 still supported?
What kind of fixes are backported to prior major versions? Just security/critical bug-fixes/…?
Is there a separate support cycle for minor releases now that 9.2 and 9.3 are being maintained differently? (In other words: Should we be showing 9.2 and 9.3 separately at endoflife.date/grafana).
Can the support policy be documented somewhere please? We have a nice set of recommendations at https://endoflife.date/recommendations that might be helpful.

captn3m0 · November 30, 2022, 10:42am

Prior discussions:

witchcraze · December 2, 2022, 1:37pm

I checked recent security release
// Sorry I can not use several links because of my rank

Release 9.3.0, latest release with security patch:
Release 9.2.7, last 9.2 patch with security fix:

Stored XSS in Grafana Alerting (CVE-2022-31097)
Impacted versions
9.1.0-beta1 → 9.3.0-beta1

Timeline
2022-11-28 11:47 PRs submitted for fix with backports to 9.1 and 9.2

From : ttps://grafana.com/blog/2022/11/29/grafana-security-release-new-versions-with-high-severity-security-fix-for-cve-2022-31097/

Maybe 9.1.x is released soon ??
Since this vulnerability is a regression, 8.5.x will not be released.

Release 9.2.4, latest patch, also containing security fix:
Release 8.5.15, only containing security fix:

From : ttps://grafana.com/blog/2022/11/08/security-release-new-versions-of-grafana-with-critical-and-moderate-fixes-for-cve-2022-39328-cve-2022-39307-and-cve-2022-39306/

9.1.x seemed not released
Latest minor version of last 2 major versions are supported ??

Release 9.2, latest release with security fi
Release 9.1.8, only containing security fix
Release 8.5.14, only containing security fix

From :ttps://grafana.com/blog/2022/10/12/grafana-security-releases-new-versions-with-fixes-for-cve-2022-39229-cve-2022-39201-cve-2022-31130-cve-2022-31123/

(upstream 9.2 and) latest minor version of last 2 major versions are supported ??

We are also releasing security releases for Grafana 9.0.8, 8.5.11, 8.4.11 and 8.3.11

From : ttps://grafana.com/blog/2022/08/30/security-release-new-versions-of-grafana-and-grafana-image-renderer-with-a-high-severity-security-fix-for-cve-2022-31176/

Many backport relese …

I can’t understand backport support policy

captn3m0 · December 20, 2022, 5:17am

Got an update on Slack. Re-posting here as the Slack needs a login:

yes, we support the current minor (e.g. 9.3.x), the previous minor (e.g. 9.2.x) and the last minor of the previous major (e.g. 8.5.x)

yes, mostly just security+critical bug fixes.

current minor has full support, previous minor (e.g. 9.2.x) is similar to v8 in that it will only really receive security/critical fixes

i’ve asked internally if we can get this published as i agree it’s valuable

– @ashleyharrison

Slack Ref: Slack.

Slack Signup: https://slack.grafana.com/

jangaraj · December 20, 2022, 6:28am

For the record: release policy - Grafana releases: New 2023 release schedule | Grafana Labs

captn3m0 · December 20, 2022, 7:05am

Included the new release schedule in our page: Grafana | endoflife.date (Preview, PR is here).

But this only covers the release schedule, not the support policy - would be nice to have a stable page that covers both. A blog is not ideal, since blogs can get outdated (Kinda what happened with Grafana, where old forum posts referencing the old support policy were outdated).

woshitommy3 · March 16, 2023, 1:48am

Hi can I check is there official documentation or page which tell us about the support policy for Grafana OSS version? as my understanding is that only grafana enterprise have such policy of version n-1 will be supported, is that apply same to grafana OSS?

captn3m0 · March 16, 2023, 7:32am

From my understanding (of documenting and writing up Grafana | endoflife.date), the support policy applies to Grafana OSS.

horstgutmann · April 18, 2023, 7:31am

@captn3m0 Hi Sorry for the slightly off-topic question, but how do you update the grafana.md in your repository? I noticed that it still shows 9.4.3 as the latest release while we are already at 9.4.7 right now.

captn3m0 · April 18, 2023, 7:51am

It auto-updates using the git tags on the grafana repo. Our automation has picked up the tag, but it hasn’t updated the markdown data.

Seems like a bug in our code somewhere - will check and update. Thanks for notifying!

captn3m0 · April 18, 2023, 8:05am

The issue was with the 9.4.0 tag which was created after the 9.4.7 release.

"9.4.7": "2023-03-16"
"9.4.0": "2023-03-21"

Our automation finds a newer release (9.4.0, 21st March) with a lower version number than what’s current (9.4.3), and decides to not change anything since lowering a version number always a bad idea.

I’ve filed a PR to correct this for now: [grafana] Manually update to 9.4.7 by captn3m0 · Pull Request #2841 · endoflife-date/endoflife.date · GitHub

I’m unsure why the 9.4.0 tag was created so late. If this was meant as a pre-tag, perhaps it could have been tagged as v9.4.0-pre on the actual date (2023-02-03)

horstgutmann · April 18, 2023, 9:01am

Ah, that explains it, thanks

Regarding 9.4.0 released after 9.4.7:

We had already created the 9.4.0 release internally when we had to redo it due to some critical issues. This led to us skipping 9.4.0 in the public release and going with 9.4.2 (IIRC) as the first public release for the 9.4.x series.

Unfortunately, that lack of a public 9.4.0 release caused some administrative issues not under our control and so - after learning about them - we decided to push 9.4.0 out. Sorry that this has caused some troubles for you