Make a list of known (LTS) issues

[PallHaraldsson]

All open issues are known, but unclear which apply to master and which (also, or only) to LTS.

It might be good to make a list of known bugs (a label? "applies only to LTS"?), for security, or otherwise, for the LTS. Some such as the (non-security? or would some/this bug also count as such?) under discussion here, are known to be fixed on master (and 1.7 if I recall), but not the LTS, and will likely never be fixed:

https://www.reddit.com/r/Julia/comments/uqwd2h/comment/i8u36py/

It is:
#41096 (comment)
"a corner case bug"

I don't know how likely, and apparently not putting people at ease, complaining about non-support for LTS, so I think it might be good to doc the LTS better (this is an open bug so not exactly hidden, just in a sea of other bugs), and since it seems unlikely to be fixed, and if serious, then recently 1.7 was proposed as LTS, so that's also something to consider, and having two for a while and dropping 1.6 LTS soon after.

Another known #45848 not mentioned at https://github.com/JuliaLang/julia/security/advisories but hopefully soon fixed since already approved.

Also the security issue #45397 for stable I guess, and LTS. Is it possible to not just fix, but rather drop the dependency (also mbedTLS)? I'm not sure where it's used, if if critical to Julia.

[JeffBezanson]

The "backport 1.6" label can be used for this.

Open issues by default are assumed to apply to master. If they are only on master, the "regression" label should be applied. If an issue has been fixed but still exists in an old version, the fixing PR can be labeled "backport 1.6", or an issue can be opened requesting backporting.

are known to be fixed on master (and 1.7 if I recall), but not the LTS, and will likely never be fixed:

Whether to backport a patch (to the LTS, or any version) is always going to be a judgment call. Calling this "non-support for LTS" is very misleading. Also, is this just an issue cherry-picked to be an example of us "doing the wrong thing", or does somebody actually need this fixed in the LTS version for real? If somebody is saying "I need to use the LTS version and we are hitting this issue, can it be backported?" that changes things significantly.

[PallHaraldsson]

I believe that's the fix, and the "backport to 1.6" label was removed:
#39980 (comment)

So the open issue on it is misleading, if there's not intention of fixing it. It's not good to just close it, unless 1.6 LTS is dropped, nor is keeping it open indefinitely without it being clear it applies to LTS users, and "no fix panned" isn't clear.

I couldn't figure out (at the time) how big of a deal this is (since a "corner case"). I find it regrettable that the LTS that (few; if any?) use cast shade on the whole (stable, working) Julia 1.7/1.8 project. I tried to answer on Reddit the best I could.

I don't really care that we have any LTS (I live on master mostly...). I didn't cherry-pick, or rather, someone else did, and I just chose to show that.

This issue I opened isn't just about backporting (or LTS), I guess adding such to known open issues, is valid, and would be implied for all tagged with "security". Arguably that label is enough for know security issues, since easy to look up.

[JeffBezanson]

I suspect the issue is still open because we're not sure what to do --- should we backport it, should we try to find a better fix, ...?

[PallHaraldsson]

Yes, does it warrant a new LTS (1.7?), which wouldn't "solve" the problem, until later when 1.6 LTS dropped. Until (that) decided (or just fixed soon), can some clear label and/or list be made?

[KristofferC]

This is talking about a lot of different things and it is unclear what to do here so I will close this.