Hello team,
In the past, once a release entered the LTS phase with fixes only for security issues, we would switch from the QA branch to a MAINT branch and releases would have a patch level (such as 4.0.8.1). Since we no longer do patch-level release numbers, to be more consistent with Semver and some of the tools we use, we should decide how to handle these LTS releases.
It often doesn’t make sense to merge QA_4_9 in to QA_5_0 because of changed file names and different function declarations. Even though the fix is often similar, it doesn’t always merge very well (one example we’ve seen several times lately is the change in array declarations from (IIRC) [ … ] to array( … ).
Would it benefit us to maintain a MAINT_4_9 branch that is meant to NOT merge to QA_5_0. In that case, a security issue would need two pull requests/commits, one for MAINT_4_9 and one for QA_5_0 (soon to be 5_1 anyway). I think that especially with the upcoming release of 5.1 this might make maintenance easier for us.