Hi,
It has occurred to me that our current branches have diverged significantly from QA_4_9 and that our current system of merging any change from QA_4_9 to QA_5_1 then to master doesn't seem ideal to me any longer. This makes security merges difficult.
This got messy at the point where we decided to continue supporting 4.9 for urgent fixes and security fixes, because prior to 4.9, security fixes would generally be assigned a fourth version number (such as 2.11.2.2 or 4.1.14.8). That fourth version number does not conform very well with semver and we've adapted to releasing a new "patch" release for security fixes (4.9.7, for instance). Under the older system, a branch MAINT_4_1_14 would be created for the security fixes for 4.1.14.x, because a QA_ branch would get merged ahead to newer branches but the MAINT branch was not meant to be merged. Similar changes could be git cherry-picked to future branches instead.
Here's what I'm proposing:
* Make a break from merging QA_4_9, remove the QA_4_9 branch and replace it with MAINT_4_9 (not MAINT_4_9_8, which would be the old way). We're really getting towards the end of wanting to support 4.9 anyway, but this will allow us to maintain 4.9 without complicated merges to the 5.x branches. It's easy to see how we got in this situation because at first we were still sort of supporting 4.9 for bug fixes and slowly switched to security only, but this is a good time to commit to doing this the right way.
As a reminder, since we're releasing 5.2.0-rc1, QA_5_2 is going to be created from master, and QA_5_2 will be frozen for new features; it will become bug fix only. Once 5.2.0 is officially released, QA_5_1 will be removed. I don't believe this will cause any problems with compatibility with very old PHP versions as there should be significant overlap.
Regards, Isaac