cindymullins-dw
commented
2 months ago Hi @avanide , thanks for the question. Version 1.14 is already EOL and the latest version of Emissary is 3.9.1. Since our decoupling of Emissary from Ambassador's licensed API Gateway Edge Stack late last year, the Emissary release schedule has changed. While there will be future releases, the timing and cadence are still to be determined. It will depend on ongoing planning together with the other maintainers of the project.
I would also note that anyone in the community can build Emissary-ingress from source themselves to capture the latest changes that have been merged but not yet included in a release.
Please feel free to reach out to me at a8r.io/slack (Cindy Mullins) with any questions.
Please describe your use case / problem. I need to better description of end of life policy to understand what end of support actually means for this project.
Describe the solution you'd like API gateway is often the main entrypoint of a system. Any security issue can be directly exposed. The end of life policy (https://www.getambassador.io/docs/edge-stack/latest/about/aes-emissary-eol) clearly defines the maintenance dates and that security patches are done only on maintained version. However, it is unclear if CVE are still reported for unmaintained versions.
The proposed solution is: on the end of life policy, may we clarify what unmaintained means: does it mean only patches are not provided or does it mean CVE are not reported too? As an example, the page explains 1.14 is no more maintained since Sept 2022. It's clear the patches are not provided. However, it's blurred regarding the CVE reports of this version.