In our startup, we develop a solution for the fin-tech section. Yesterday we realised that our clients will scan our dockers with a security radar agent every quater. It will probably be some McAfee product.
For the inexperienced me, That was quite a shock. It essentially creates another trigger for a development process other than adding features and fixing bugs.
After speaking with someone experienced, he told me that as long as a product did not reach its end of life (EOL) support, I don't need to update it. Side note: MongoDB 4.2 breaks our product, unlike mongo 4.0.
Now, because we were evaluating CouchDB (Apache project), I was looking for the EOL and I found the following [Source] : When a security-related release occurs, affected versions are immediately deprecated and no longer supported by the CouchDB team
Well, That is just unacceptable 🤢. You do realise that I can't put a DB in my production and fearing everyday that its end of support might just happen? Making me use an updated version that who knows if compatible or not?
Luckily, Both mongo [source] and elasticsearch [source] have a 1.5 year of support for each version. Giving that, I will have to use them as our production database candidates - only this way I can plan in advance when to upgrade and not be hit with it at the next security scanning.