Add SUPPORT-LIFECYCLE document

.gitattributes

@@ -1,7 +1,8 @@
-testdata/*        -text
-maint/manifest-*  -text
-maint/ucptestdata -text
-*.sh              text eol=lf
-pcre2-config.in   text eol=lf
-RunTest           text eol=lf
-RunGrepTest       text eol=lf
+testdata/*        -text
+maint/manifest-*  -text
+maint/ucptestdata -text
+*.sh              text eol=lf
+*.patch           text eol=lf
+pcre2-config.in   text eol=lf
+RunTest           text eol=lf
+RunGrepTest       text eol=lf

.github/workflows/sync.yml

@@ -90,7 +90,7 @@ jobs:
       - name: Commit and push, if docs have changed
         run: |
           if ! git diff --exit-code origin/main -- \
-               ./doc ./AUTHORS.md ./LICENCE.md ./SECURITY.md ./README.md \
+               ./doc ./AUTHORS.md ./LICENCE.md ./SECURITY.md ./SUPPORT-LIFECYCLE.md ./README.md \
                ./README ./NON-AUTOTOOLS-BUILD >/dev/null ; then
             # Differences from main: merge and push
             git config user.name "github-actions[bot]"

CMakeLists.txt

@@ -1470,6 +1470,7 @@ file(
   NEWS
   README
   SECURITY.md
+  SUPPORT-LIFECYCLE.md
 )
 file(GLOB man1 ${PROJECT_SOURCE_DIR}/doc/*.1)
 file(GLOB man3 ${PROJECT_SOURCE_DIR}/doc/*.3)

Makefile.am

@@ -23,6 +23,7 @@ dist_doc_DATA = \
   NEWS \
   README \
   SECURITY.md \
+  SUPPORT-LIFECYCLE.md \
   doc/pcre2.txt \
   doc/pcre2-config.txt \
   doc/pcre2grep.txt \
@@ -289,6 +290,20 @@ EXTRA_DIST += \
   NON-AUTOTOOLS-BUILD \
   HACKING
 
+# These are patches containing backports for older versions of PCRE2
+
+EXTRA_DIST += \
+  patches/pcre2-10.37-Remove-real-POSIX.patch \
+  patches/pcre2-10.39-Fix-incorrect-detection.patch \
+  patches/pcre2-10.40-A-Fixed-a-unicode.patch \
+  patches/pcre2-10.40-B-Fixed-an-issue-affecting.patch \
+  patches/pcre2-10.43-Avoid-LIMIT_HEAP-integer.patch \
+  patches/pcre2-10.43-Fix-heapframe-overflow.patch \
+  patches/pcre2-10.44-Fix-incorrect-compiling.patch \
+  patches/pcre2-10.44-Fix-locking-region.patch \
+  patches/pcre2-10.45-Memory-reports-only-compiled.patch \
+  patches/pcre2-10.47-Fix-for-callback.patch
+
 # These are support files for building with Bazel or Zig
 
 EXTRA_DIST += \

README

@@ -519,13 +519,14 @@ system. The following are installed (file names are all relative to the
     *.html (lots more pages, hyperlinked from index.html)
 
   Text file documentation (share/doc/pcre2):
-    AUTHORS
+    AUTHORS.md
     COPYING
     ChangeLog
-    LICENCE
+    LICENCE.md
     NEWS
     README
-    SECURITY
+    SECURITY.md
+    SUPPORT-LIFECYCLE.md
     pcre2.txt         (a concatenation of the man(3) pages)
     pcre2test.txt     the pcre2test man page
     pcre2grep.txt     the pcre2grep man page
@@ -920,6 +921,7 @@ The distribution should contain the files listed below.
   LICENCE.md               conditions for the use of PCRE2
   COPYING                  the same, using GNU's standard name
   SECURITY.md              information on reporting vulnerabilities
+  SUPPORT-LIFECYCLE.md     information on the support policy
   Makefile.in              ) template for Unix Makefile, which is built by
                            )   "configure"
   Makefile.am              ) the automake input that was used to create

README.md

@@ -265,6 +265,8 @@ Join the community by reporting issues or asking questions via [GitHub issues](h
 
 Contributions ranging from bug fixes to feature requests are welcome, and can be made via GitHub pull requests.
 
+Our support lifecycle is to backport security and high-severity bug fixes for at least five years. See [SUPPORT-LIFECYCLE](./SUPPORT-LIFECYCLE.md) for how to package older versions of PCRE2.
+
 Please review our [SECURITY](./SECURITY.md) policy for information on reporting security issues.
 
 Release announcements will be made via the [pcre2-dev@googlegroups.com](https://groups.google.com/g/pcre2-dev) mailing list, where you can also start discussions about PCRE2 issues and development. You can browse the [list archives](https://groups.google.com/g/pcre2-dev).

SECURITY.md

@@ -22,11 +22,12 @@ Git checkout of the (GPG-signed) release tag.
 Please contact the maintainers for any queries about release integrity or the
 project's supply-chain.
 
-Previous vulnerabilities
-------------------------
+Support lifecycle
+-----------------
 
-* CVE-2025-58050 (August 2025). Affects 10.45 only (not earlier), and is fixed
-  in 10.46.
+See the documentation under [SUPPORT-LIFECYCLE](./SUPPORT-LIFECYCLE.md) for
+details on how to distribute versions of PCRE2 older than the latest, with
+backported security and high-severity bug fixes.
 
 Reporting vulnerabilities
 -------------------------
@@ -47,8 +48,7 @@ aim to respond within 1 week, or perhaps 2 during holidays.
 
 ### Response procedure
 
-PCRE2 has in the past made at least one rapid release in response to
-security incidents.
+PCRE2 has in the past made rapid releases in response to security incidents.
 
 We have never produced an embargoed release, or provided preferential
 access to security fixes to any clients.
@@ -57,3 +57,25 @@ We would aim to notify security managers from trusted downstream distributors,
 such as major Linux distributions, via the `pcre2-dev` mailing list, by
 publicly signalling an upcoming security release before disclosing the
 vulnerability publicly, where advance notification is possible.
+
+Previous vulnerabilities
+------------------------
+
+* CVE-2025-58050 (August 2025). Affects 10.45 only (not earlier), and is fixed
+  in 10.46.
+* CVE-2022-41409 (July 2023). Only affects test code; no expected impact. Fixed
+  in 10.41.
+* CVE-2022-1587 and CVE-2022-1586 (May 2020). Affect versions before 10.40, and
+  fixed in 10.40.
+* CVE-2019-20454 (February 2020). Affects versions 10.31 to 10.33, and is fixed
+  in 10.34.
+* CVE-2017-8786 (May 2017). Only affects test code. Fixed in 10.30.
+* CVE-2017-8399 (May 2017). High severity. Fixed in 10.30.
+* CVE-2017-7186 (March 2017). Fixed in 10.30.
+* CVE-2016-3191 (March 2016). High severity. Fixed in 10.22.
+* CVE-2015-8381, CVE-2015-3217 and CVE-2015-3210 (December 2015). High severity.
+  Fixed in 10.20.
+
+Common Platform Enumeration (CPE) names:
+* CPE name version 2.3: `cpe:2.3:a:pcre:pcre2:-:*:*:*:*:*:*:*`
+* CPE name version 2.2: `cpe:/a:pcre:pcre2:-`