Aggregation Service release and end‐of‐support plan
This explainer describes the different types of Aggregation Service releases and the process and policies for releases and end-of-support for each release type.
Our goal is to standardize our release process and schedule, and give ad techs visibility into our release policies to enable them to prepare for upcoming and end-of-support releases, and ensure they run stable and secure versions of services. We are seeking feedback from ad techs on this plan.
We will have three types of releases (major, minor, and patches) with a versioning scheme based on the semantic versioning spec (semver.org).
Major releases are for new features that are breaking changes. They require an active migration.
Minor releases are new feature releases, dependency updates inside the trusted execution environment (TEE), shown in the previous diagram, that are non-breaking changes; for example, the addition of Private Aggregation support for Protected Audience and Shared Storage (Changelog 0.6.0). Note that for every minor update, there is backward compatibility on the APIs we expose from the Aggregation Service and between the Aggregation Service and coordinators.
Patches are applied to major or minor releases and include bug fixes, fixes for security vulnerabilities, etc. Patches may be critical (requiring immediate attention) or non-critical, and may occur within or outside the trusted execution environment (refer to the previous diagram).
These are patches for critical bug fixes and security vulnerabilities within the TEE that could have severe negative impact to ad techs (for example: data loss, corruption, or outage) and would cause the aggregation service to no longer function properly. All versions (including previous patches) with these critical issues will be marked out-of-support and removed from the allowlist.
Patches will be applied to all active/supported major and minor releases.
These are patches for security vulnerabilities within the compute image OS, but outside the trusted execution environment. These compute images could be pre-built by Privacy Sandbox or built by ad techs using the source code we publish. We cannot make automatic updates to ad tech environments but will provide updated releases and notify ad techs.
Patches will be applied to all active/supported major and minor releases.
Non-critical patches are patches for non-critical bug fixes and dependency updates. These are voluntary patches that ad techs are not required to adopt.
Non-critical patches that require code changes will be applied to and tested on latest major and minor releases only (unless an exception has been made). Non-critical patches that do not require code changes will be applied and tested on all active/supported major and minor releases.
| Release type | Release schedule | End-of-support schedule |
| Major | TBD: no current plans for major releases | TBD: no current plans for major releases. |
| Minor | Monthly: skipped if there are no new features | After six months. |
| Critical patches (inside TEE) | Ad hoc | Until end-of-support of the minor version that the patch is applied to, or one week after a critical patch release, whichever comes first.
Note: End-of-support of patches inside the TEE is done by removing previous TEE image hashes from the allowlist. |
| Critical patches (outside TEE) | Ad hoc |
Pre-built compute images:
Until end-of-support of the minor version that the patch is applied to, or one week after a critical patch release, whichever comes first. Ad tech-built compute images: N/A: managed by ad techs Note: Similar to API deprecations, we cannot remove old compute images from the ad tech environments but we can make sure the out-of-support compute images are no longer available for new deployments. |
| Non-critical patches | Bi-weekly | Until end-of-support of the minor version that the patch is applied to, or one week after a critical patch release, whichever comes first. |
For critical/vulnerability patches, we will deprecate all previous patches one week after the new release. Example timeline:
- July 15th, 2023: Release non-critical patch → 1.0.1
- August 1st, 2023: Release non-critical patch → 1.0.2
- August 8th, 2023: Release required patch (for example, for a security vulnerability) → 1.0.3
- August 15th, 2023: End-of-support for patch release 1.0.1, 1.0.2
We will publish the releases and end-of-support notices on GitHub. We will also send information about forthcoming new releases and end-of-support schedules to ad techs who opt in to receive email announcements during the onboarding process.