Cybersecurity, End-of-life README Language for Open-Source Tools
- This article provides an overview of End-of-Life information to include in Open Source product README files.
- This document can help development teams associated with the University of Illinois fulfill their responsibility to comply with Illinois Cybersecurity standards - including IT-07.11, IT08.3, and IT13.2.
- Planning ahead for product End-of-Life is necessary for maintaining an application development lifecycle secure development environment (Standard IT7.11), reduces the costs of complying with University Information Security Standards (Standard IT08.3), and reduces the costs of passing web application vulnerability scans (Standard IT13.2)
- Information about End-of-Life should be presented prominently in the product documentation - typically the README file, CHANGELOG or another form of release notes communication.
Example Text or End-of-Life Language
This is an example of text that could be included as the End-of-Life language for a product:
This product is supported by <TEAM NAME> on a best-effort basis.
As of the last update to this README, the expected End-of-Life and End-of-Support dates of this product are 31 October 2031.
End-of-Life was decided upon based on these dependencies:
- <DEPENDENCY 01> (End-of-Life is the same as <DEPENDENCY 02>)
- <DEPENDENCY 02> (31 October 2031)
Finding End-of-Life Dates in Dependencies
- Keep track when choosing dependencies in a separate file
- Useful Open Source website with some common End-of-Life product dates: https://github.com/endoflife-date/endoflife.date
- Direct Link: https://endoflife.date/
End-of-Life vs End-of-Support Date
- End-of-Life Date
- The last date that any updates, releases, patches, etc. will be provided by the development team for a product
- Should be no later than the End-of-Life of the nearest End-of-Life of any single dependency
- End-of-Support (Service) Date
- The last date that customer service and support will be provided for a product
- Can be the same date as the End-of-Life Date
- Should be no earlier than the End-of-Life Date
Checklist of Items to Include
- Product Introduction
- What is one-line description of the product?
- E.g.: [Product Name] is an application that [short description]
- Maintenance Team
- What team maintains this product?
- Does the team provide a support level commitment?
- End-of-Life Details
- What is the planned End-of-Life Date?
- What is the planned End-of-Support Date?
- Are the limiting dependencies included to facilitate future updates to these dates?
- Is there a new product that is replacing this product, or other recommended solutions to migrate to?
References and Useful Links
- README files contain general information about a product. For more information on README files, see https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/about-readmes