Over the last few months, we have been receiving questions from customers regarding the availability of the Nuxeo Server source code, especially considering the recent acquisition of Nuxeo by Hyland. First off, let me reiterate that Hyland is fully committed to the concept of continuing Nuxeo’s open-source policy.
The changes outlined below had in fact been scheduled, and partially executed, prior to the acquisition.
Towards the end of 2020, the Nuxeo engineering team was working on the LTS 2021 release which included a roadmap item to ensure that security fixes do not get public too soon.
Our concern, as we observed the fix commits happening on the maintenance branch, was that it might be possible to identify the security issues that we have identified and are working to fix. This might allow malicious actors to target these areas on Nuxeo Platform instances that have yet to get patches. The Nuxeo Security Team, which leads our compliance program, requested that we keep fixes out of the public domain for at least 90 days, which typically corresponded to four updates/hot fixes on a maintained LTS release.
In order to manage all of the impacts on the continuous innovation development of Nuxeo Platform without impacting our overall innovation progress, we developed a three-step plan:
Step 1: Make the maintenance branch of Nuxeo LTS 2021 private.
This had been done prior to the release of Nuxeo LTS 2021. As the developer experience is important to us, we made sure that sources of the artefacts of each update are available on Nuxeo Connect, so that you can configure your IDE to continue debugging in good conditions.
Step 2: Harmonize the branch management on the project.
Since the updates to our release cycle, there is no longer any difference between the master branch and the maintenance branch. Essentially, starting from LTS 2021, we changed our strategy to do less frequent major (LTS releases) to limit the burden of more costly updates and allow us the necessary bandwidth to deliver updates that incorporate evolutions in a non-breaking fashion on the active branch (i.e., LTS 2021) regularly.
You can read more about this updated strategy here. A consequence of this strategy is that the engineering team would systematically commit to master and backport on the LTS branch each evolution, which is not efficient and adds little value. We have thus evolved the commit flow to implement in a branch of the LTS 2021 maintenance branch the new evolutions merge the development branch onto the LTS 2021 branch. In summary, the LTS 2021 branch is the new master.
These important and necessary changes did expose one major issue: the LTS 2021 maintenance branch is no longer public, leaving no public master branch, which is not in line with Nuxeo’s open philosophy. Hence the need for step 3.
Step 3: Mirror the LTS branch after 90 days.
It is important for us to stick to our open kitchen values and as such, we are publishing the Nuxeo Platform code repository evolutions with a 90-day delay.
This allows us to both maintain our historical model and also consider the security of our customers instances.
Customers will still have access to the history of all commits and can have an understanding of the evolution of the state of the project if your expert team is interested in this. Our Platform team will execute on Step 3 and publish Q1 2022.
We recognize that this strategy appeared to break our open source principals, but our engineering teams have been working diligently to structure our development process in a way that maximizes the value we deliver to our customers.
It is important to note that all of this is related to the Nuxeo server code base. Our client SDKs and UI codebases are and will remain fully public.
The reason behind this difference is that critical security breaches are, by definition, server-side. Conversely, the security impact of identified breaches on the UI layer is lower and as such do not imply to hide the fixes for some time. Running the right model for building open-source software is an exciting and never-ending journey that we are glad to share with our community. And there is definitely not one right way of doing it, this is what makes the journey even more interesting.
At Hyland, which recently acquired two major open-source products (Alfresco and Nuxeo platforms), we are now setting up a guild of experts and working on building the Hyland open-source policy to apply to future software initiatives. Stay tuned as we continue to deliver exciting innovation and compelling value in the Nuxeo Platform and across the entire Hyland portfolio.