lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


2014-08-21 15:49 GMT+02:00 Jonas Thiem <jonasthiem@googlemail.com>:
> I think the common practise is to add an additional number for the
> patch level. However, I understand Lua doesn't want to rerelase fixed
> tarballs due to lack of time - but at least the download page should
> have a note on that practise.
>
> On Thu, Aug 21, 2014 at 3:30 PM, Thomas Harning <harningt@gmail.com> wrote:
>> Bizarre... Fixes are what point release changes are meant for.
>> I'd be annoyed if two downloads of a specific release changed over the
>> time-it's like modifying a tag... You just don't do it.
>>
>>
>>
>>
>> On Thursday Aug 21, 2014 at 9:27 AM, Jonas Thiem , wrote:
>>
>> Hi *,
>>
>> I suggest adding a warning to download page if the tarball isn't
>> patched up with all latest security fixes (e.g. like #1 bug in Lua
>> 5.2.2 published in April 2013 on lua.org/bugs.html, which wasn't fixed
>> in the tarball up to the release of 5.2.3 in Nov 2013).
>>
>> I am asking because Red Hat/Fedora appeared to be totally unaware the
>> tarballs aren't patched up, and in conclusion I assume other
>> distributions and packagers might possibly also not be aware unless
>> there is a very obvious note on the download page that this is common
>> practise for Lua releases.
>>
>> The response to this bug in 5.2.2 which leads to a crash and possibly
>> memory corruption I just got from Red Hat Security Alert was "As
>> Fedora would have rebased to upstream version 5.2.2, I do not know why
>> the fix is not in there." which indicates they missed how Lua doesn't
>> update released tarballs.

There is an official bugs/patches page: <http://www.lua.org/bugs.html>
which any reasonably experienced Lua user consults from time to time.
BTW there has an item on 5.2.3 in there for almost five months.

What you are telling us is that the maintainer of the Fedora package
is either (a) unaware of that page (b) under the impression that
a published tarball with a minor release number should change its
contents without changing its name. I cannot imagine a Debian
or Ubuntu maintainer being so sloppy.

There is no substitute for meticulous attention to detail, especially
if one is a package maintainer.  A warning on the download pages
would be precisely as useful as "may contain nuts" on a bag of mints.