Greetings, Paul A wrote:

Ummm... some of us have production cycles of two (maybe three) years (exceptions made for security)

-- exactly... let's review security updates recently. Google "koha security": 2013-07-29 - 3.12.3, 3.10.9, 3.8.16, 3.6.12 2014-02-07 - 3.14.3, 3.12.10, 3.10.13, 3.8.23 2014-12-10 - 3.18.1 2014-12-11 - 3.16.5 2015-06-23 - 3.20.1, 3.18.8, 3.16.12 Let's say you had 3.6.x in 2013. Less than a year, you would be upgrading to 3.6.12 and a few month later be forced to jump to 3.8.x Let's say you had 3.8.x in 2013. Less than a year, you would be upgrading to 3.8.16, and 3.8.23 less than a year after that. Anything less than 3.16.x in 2014 should have jumped to 3.16.5 less than a two year cycle from 3.6.12. There are 4 distinct security releases in the last 2 years. I'm sorry, but a 2 year production cycle is not realistic in terms of security. And if you argue they were as recent in previous year, I would argue that the quality level of Koha has been improving over time. Consider that debian packages in production were only as of 3.4! Have you seen the massive interface improvements since 3.6.x?! The underlying libraries and technologies have been improved as well. All these sorts of improvements include an increased testing and awareness of security issues.

and only follow the minor/major releases on a sandbox to keep up with enhancements for the next production upgrade. The principle of "if it ain't broke, don't fix it."

-- security issues are by definition broken. So while I agree with the principle, the problem is reality is rather cruel and things break more frequently than we would like. GPML, Mark Tompsett