Re: Please add warning to download page if tarball isn't patched up with all latest security fixes

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Please add warning to download page if tarball isn't patched up with all latest security fixes
From: Dirk Laurie <dirk.laurie@...>
Date: Thu, 21 Aug 2014 16:33:10 +0200

2014-08-21 15:49 GMT+02:00 Jonas Thiem <jonasthiem@googlemail.com>:
> I think the common practise is to add an additional number for the
> patch level. However, I understand Lua doesn't want to rerelase fixed
> tarballs due to lack of time - but at least the download page should
> have a note on that practise.
>
> On Thu, Aug 21, 2014 at 3:30 PM, Thomas Harning <harningt@gmail.com> wrote:
>> Bizarre... Fixes are what point release changes are meant for.
>> I'd be annoyed if two downloads of a specific release changed over the
>> time-it's like modifying a tag... You just don't do it.
>>
>>
>>
>>
>> On Thursday Aug 21, 2014 at 9:27 AM, Jonas Thiem , wrote:
>>
>> Hi *,
>>
>> I suggest adding a warning to download page if the tarball isn't
>> patched up with all latest security fixes (e.g. like #1 bug in Lua
>> 5.2.2 published in April 2013 on lua.org/bugs.html, which wasn't fixed
>> in the tarball up to the release of 5.2.3 in Nov 2013).
>>
>> I am asking because Red Hat/Fedora appeared to be totally unaware the
>> tarballs aren't patched up, and in conclusion I assume other
>> distributions and packagers might possibly also not be aware unless
>> there is a very obvious note on the download page that this is common
>> practise for Lua releases.
>>
>> The response to this bug in 5.2.2 which leads to a crash and possibly
>> memory corruption I just got from Red Hat Security Alert was "As
>> Fedora would have rebased to upstream version 5.2.2, I do not know why
>> the fix is not in there." which indicates they missed how Lua doesn't
>> update released tarballs.

There is an official bugs/patches page: <http://www.lua.org/bugs.html>
which any reasonably experienced Lua user consults from time to time.
BTW there has an item on 5.2.3 in there for almost five months.

What you are telling us is that the maintainer of the Fedora package
is either (a) unaware of that page (b) under the impression that
a published tarball with a minor release number should change its
contents without changing its name. I cannot imagine a Debian
or Ubuntu maintainer being so sloppy.

There is no substitute for meticulous attention to detail, especially
if one is a package maintainer.  A warning on the download pages
would be precisely as useful as "may contain nuts" on a bag of mints.

Follow-Ups:
- Re: Please add warning to download page if tarball isn't patched up with all latest security fixes, Jonas Thiem

References:
- Please add warning to download page if tarball isn't patched up with all latest security fixes, Jonas Thiem
- Re: Please add warning to download page if tarball isn't patched up with all latest security fixes, Thomas Harning
- Re: Please add warning to download page if tarball isn't patched up with all latest security fixes, Jonas Thiem

Prev by Date: Re: Feature request: plain option for gsub
Next by Date: Re: Please add warning to download page if tarball isn't patched up with all latest security fixes
Previous by thread: Re: Please add warning to download page if tarball isn't patched up with all latest security fixes
Next by thread: Re: Please add warning to download page if tarball isn't patched up with all latest security fixes
Index(es):
- Date
- Thread