Who told you that? Take a trip over to
https://downloadarchive.documentfoundation.org/libreoffice/old/

24.2.0.1/|08-Jan-2024
24.2.0.2/|16-Jan-2024
24.2.0.3/|04-Feb-2024
24.2.1.1/|12-Feb-2024
24.2.1.2/|05-Mar-2024
24.2.2.1/|09-Mar-2024
24.2.2.2/|05-Apr-2024
24.2.3.1/|23-Apr-2024
24.2.3.2/|13-May-2024
24.2.4.1/|03-Jun-2024
24.2.4.2/|04-Jun-2024
24.2.5.1/|02-Jul-2024
24.2.5.2/|11-Jul-2024

That is not every three months. I can see where those constant updates would be of benefit, but where you are required to be up to date, it is a complete nuisance.

Is there a ESR version out there?

Take a trip over to Index of /libreoffice/old and see what is “actually” happening. That is not their release plan.

This are minor-updates only for bug-fixings, the major-updates will happen two times each year, with the numbering-schema yy.m.x.y the next major-version is 24.8… which occurs obviously next month

24.2.0.1/|08-Jan-2024
24.2.0.2/|16-Jan-2024
24.2.0.3/|04-Feb-2024 → initial release, after about a month of testing two intermediate release candidates.
24.2.1.1/|12-Feb-2024
24.2.1.2/|05-Mar-2024 → first bugfix release, after about a month after the initial release (and one intermediate candidate).
24.2.2.1/|09-Mar-2024
24.2.2.2/|05-Apr-2024 → second bugfix release, after about a month after the first bugfix release (and one intermediate candidate).
24.2.3.1/|23-Apr-2024
24.2.3.2/|13-May-2024 → third bugfix release, after about a month after the second bugfix release (and one intermediate candidate). Note that 13-May-2024 is wrong, the release was at may 1st, see inside (it’s portable version that was released late).
24.2.4.1/|03-Jun-2024
24.2.4.2/|04-Jun-2024 → fourth bugfix release, after about a month after the third bugfix release (and one intermediate candidate).
24.2.5.1/|02-Jul-2024
24.2.5.2/|11-Jul-2024 → fifth bugfix release, after a bit more than a month after the fourth bugfix release (and one intermediate candidate).

Fifth bugfix release appeared ~ 6 months 1 week after initial release.

Now compare to 7.6.

7.6.0.1/|10-Jul-2023
7.6.0.2/|01-Aug-2023
7.6.0.3/|29-Aug-2023 → initial release, after about a month of testing two intermediate release candidates. Note that 29-Aug-2023 is a lie, actually it was Aug 11th (see inside).
7.6.1.1/|29-Aug-2023
7.6.1.2/|18-Sep-2023 → first bugfix release, after about a month after the initial release (and one intermediate candidate). Again, actually Sep 8th.
7.6.2.1/|10-Oct-2023 → Out-of-order second bugfix (security) release, just two weeks after first bugfix release, without candidates: Sep 26th
7.6.3.1/|05-Nov-2023
7.6.3.2/|23-Nov-2023 → third bugfix release, after about a month after the second bugfix release (and one intermediate candidate).
7.6.4.1/|28-Dec-2023 → out-of-order fourth bugfix (security) release, after about two weeks after previous, without candidates: Dec 4th
7.6.5.1/|01-Feb-2024
7.6.5.2/|27-Feb-2024 → fifth bugfix release, about 2.5 months after previous: Feb 20th

Fifth bugfix release appeared ~ 6 months 1 week after initial release.

I fail to see a difference…

(I like when someone advises me to take a trip over our releases, which I am part of… people are so funny sometimes)

As a side note, I wonder why those industries or you don’t bother to get support or a long-term SLA from an ecosystem partner.

Some partners provide such, yes. It’s all there if you clicked the big blue button box Business users: click here on the download page that leads to LibreOffice in business | LibreOffice - Free and private office suite - Based on OpenOffice - Compatible with Microsoft and read it. Citing:

we strongly recommend using LibreOffice Enterprise versions from one of our ecosystem partners, such as those listed below. In that way, you can get long-term Service Level Agreements (SLA), personalised assistance, technical support, and custom new features. Furthermore, the work done by ecosystem partners flows back into the LibreOffice project, benefiting the larger community of LibreOffice users.

Under PCI, EVERY single bug fix has to be enters, unless LO specifically states which ones a security update and which ones are not. Since it is not stated, I have to install them.

Is there a ESR version out there?

If you have some special requirements, it’s up to you to contract someone who provides you with specially crafted releases / their cadence.

If you use community version, and do not understand the difference between release candidates and releases, it’s not a reason to call the testing mode not released for public, and specifically created for testing, “nuisance”.

Note that a release for “every bug fix” would mean about 100 releases where we have one, because every bugfix release covers tens of bugfixes.

Additionally, X.Y.0 till X.Y.4 releases are usually not recommended for use in production. They are released in fast succession, because on this stage, many bugs appear and get fixed. Later bugfix releases, usually 5th to 7th, are released less frequently, and have less bugs fixed, just because they reach the level of maturity that allows recommending them for production. Only now 24.2 has reached that stage. And indeed, later releases will, as always, be less frequent.

I can not find 7 on your web site, except in the defunct section. Are you saying that only 24 now is supported?

Is there a separate section for candidates and releases?

Yes only 24.2 is now supported (and 24.8 will appear soon in August, in its .0 initial release, to repeat the fast bugfix dance); each version is only supported 1 year - and that’s written clearly on that release plan page, that you dismissed so fast, and that provides a schedule we never fail (sometimes we release earlier - for securities, never later).

And the main download page never advertises candidates as the main releases, only as the “pre-releases for testing” section in the bottom.

• ReleasePlan - The Document Foundation Wiki 24.8_release
• ReleasePlan - The Document Foundation Wiki 24.2_release

image843×145 25.7 KB

Screenshot_2024-07-17_11-44-47884×403 82.7 KB

If not stated which are security updates, I have to install them all. I can see the utility of this, but not for PCI. Also in the defunct section, it shows one to two updates per month. If LO has now backed off to one every three months, it is a little better. I see 13 updates for 24.2 for the first six months of this year. I do not see them backing off.

LO might not be a good fit for these customers. My labor alone over a year keeping LO up to date on all their PCI computers would pay for M$ Office. Only Office looks less work to keep up to date. I will look at that.

Thank you all for the help!

• ReleaseNotes/24.2 - The Document Foundation Wiki
  and if you really need the details of details … ReleaseNotes/24.2: Revision history - The Document Foundation Wiki

Those customers would do better if they found someone who knows what they are doing. Your work of “keeping LO up to date on all their PCI computers” was obviously just waste of money because you never bothered to understand what you needed to do - making yourself familiar with the product release strategy. I tell you, because i used to work as system administrator, keeping a company systems updated, etc. - I know that business. Blame yourself (or dictate your customers the products based on your (in)competence).

Does Libre Office or does not Libre Office states which updates are security updates? Please refrain from the personal insults if you do not understand these requirements.

Every release may contain “security” fixes - for undiscovered issues. We do not mark any release as “not containing security fixes”. There is lots of fuzzing testing going on, and we fix problems that would possibly be exploitable, even without knowing that. But sometimes we release an out-or-order special security release - for discovered security issues.

But that’s not a problem. If you tried to understand, you would learn that:

1. You should never install X.Y.0 to X.Y.4; you always use X.Y.5, X.Y.6, X.Y.7 - which are usually the only three releases of a branch in half a year. So you would only need to install three releases in the time when the newer branch had 5 (.0 to .4, all with much more bugs).
2. You never install X.Y.Z.1, unless it is announced as a release on the main page (and on the main download page). So you usually skip half of work of non-releases - which we do not release, do not announce as such.

You did four times more work than needed.

24.2 had two releases in July

24.2.5.1/02-Jul-2024
24.2.5.2/11-Jul-2024

That is not every three months. Is it your point that even though these two July release contain security patches, that since they are not a published general release, that I should not have to apply them? Do I misunderstand you?

PCI-DSS-v4-0-SAQ-C-r1
6.3.3 All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows:
• Critical or high-security patches/updates (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release.

If you are hiding these vulnerabilities by not placing them in the three month release, then I have not choice by to install the twice monthly updates. Or find some other software to use. (I like LO and would not like to see it removed.)

You do not understand at all.

24.2.5.1/02-Jul-2024 was not a release. It was a release candidate, never announced as a release. It never appeared on download page in a box like

image1257×898 155 KB

and only when it was internally tested, and some problems fixed, the 24.2.5 got a second build, and was released as 24.2.5 (and then the picture shown above appeared for it, and the release announcement came).

Who told you, that in this project, what you see on that archive page, is only the releases? It is not advertised as the primary download source. It is used as archive for everything.

I am looking at
Index of /libreoffice/old
last modified column.

Your point is that is is not a general release? If it contains patches for 'known vulnerabilities", I have to install it. If it is just a testing release, there is nothing stopping you from tagging it as alpha, beta, or release candidate. This would be a lot easier if patches for “known vulnerabilities” were annotated as such. Those are the only ones I am required to install.

just as well as nothing stopping you from reading announcements, release plan, official download page, etc.; and nothing stopping you from stopping telling others what to do in their project that provides the product for free.

Yes these are release candidates. This is their official name. Alphas and betas are only for pre-X.Y.0. And release candidates are never meant for use in production, only for testing. If you confuse them for releases, you do not understand.