From 908903b317431958234fde658c0eb75f18981129 Mon Sep 17 00:00:00 2001
From: Eric Blake <eblake@redhat.com>
Date: Tue, 14 Jan 2014 09:49:50 -0700
Subject: [PATCH] docs: mention maintenance branches

Mitre tried to assign us two separate CVEs for the fix for
https://bugzilla.redhat.com/show_bug.cgi?id=1047577, on the
grounds that the fixes were separated by more than an hour
and thus triggered different hourly snapshots.  But we
explicitly do NOT want to treat transient security bugs as
CVEs if they can only be triggered by patches in libvirt.git
but where the problem is cleaned up before a formal release.

Meanwhile, I noticed that while our wiki mentioned maintenance
branches and releases, our formal documentation did not.

* docs/downloads.html.in: Contrast hourly snapshots with
maintenance branches.

Signed-off-by: Eric Blake <eblake@redhat.com>
---
 docs/downloads.html.in | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/docs/downloads.html.in b/docs/downloads.html.in
index 83b8751580..435c2f1181 100644
--- a/docs/downloads.html.in
+++ b/docs/downloads.html.in
@@ -22,7 +22,9 @@
     <p>
       Once an hour, an automated snapshot is made from the git server
       source tree. These snapshots should be usable, but we make no guarantees
-      about their stability:
+      about their stability; furthermore, they should NOT be
+      considered formal releases, and they may have transient security
+      problems that will not be assigned a CVE.
     </p>
 
     <ul>
@@ -30,6 +32,28 @@
       <li><a href="http://libvirt.org/sources/libvirt-git-snapshot.tar.gz">libvirt.org HTTP server</a></li>
     </ul>
 
+    <h2><a name="maintenance">Maintenance releases</a></h2>
+    <p>
+      In the git repository are several stable maintenance branches,
+      matching the
+      pattern <code>v<i>major</i>.<i>minor</i>.<i>micro</i>-maint</code>;
+      these branches are forked off the corresponding
+      <code>v<i>major</i>.<i>minor</i>.<i>micro</i></code> formal
+      release, and may have further releases of the
+      form <code>v<i>major</i>.<i>minor</i>.<i>micro</i>.<i>rel</i></code>.
+      These maintenance branches should only contain bug fixes, and no
+      new features, backported from the master branch, and are
+      supported as long as at least one downstream distribution
+      expresses interest in a given branch.  These maintenance
+      branches are considered during CVE analysis.
+    </p>
+
+    <p>
+      For more details about contents of maintenance releases, see
+      <a href="http://wiki.libvirt.org/page/Maintenance_Releases">the
+      wiki page</a>.
+    </p>
+
     <h2><a name="git">GIT source repository</a></h2>
 
     <p>