[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Please add warning to download page if tarball isn't patched up with all latest security fixes
- From: Jonas Thiem <jonasthiem@...>
- Date: Thu, 21 Aug 2014 16:36:14 +0200
I think they are unaware that there is no patched release with a
possibly updated patch version number of all those reported bugs in a
timely fashion. Nobody is suggesting rerelase with exactly the same
version number.
Also yes, it is not good that they missed on this, but that is exactly
why I am proposing a more obvious note on the download page. This
shouldn't slip past package maintainers, but apparently it does (and
it also slipped past me in a few months of my personal Lua use) so why
not try to do something about it? A note doesn't need much time to
write. (unlike a change in policies to actually release updates more
often)
Regards,
Jonas Thiem
On Thu, Aug 21, 2014 at 4:33 PM, Dirk Laurie <dirk.laurie@gmail.com> wrote:
> 2014-08-21 15:49 GMT+02:00 Jonas Thiem <jonasthiem@googlemail.com>:
>> I think the common practise is to add an additional number for the
>> patch level. However, I understand Lua doesn't want to rerelase fixed
>> tarballs due to lack of time - but at least the download page should
>> have a note on that practise.
>>
>> On Thu, Aug 21, 2014 at 3:30 PM, Thomas Harning <harningt@gmail.com> wrote:
>>> Bizarre... Fixes are what point release changes are meant for.
>>> I'd be annoyed if two downloads of a specific release changed over the
>>> time-it's like modifying a tag... You just don't do it.
>>>
>>>
>>>
>>>
>>> On Thursday Aug 21, 2014 at 9:27 AM, Jonas Thiem , wrote:
>>>
>>> Hi *,
>>>
>>> I suggest adding a warning to download page if the tarball isn't
>>> patched up with all latest security fixes (e.g. like #1 bug in Lua
>>> 5.2.2 published in April 2013 on lua.org/bugs.html, which wasn't fixed
>>> in the tarball up to the release of 5.2.3 in Nov 2013).
>>>
>>> I am asking because Red Hat/Fedora appeared to be totally unaware the
>>> tarballs aren't patched up, and in conclusion I assume other
>>> distributions and packagers might possibly also not be aware unless
>>> there is a very obvious note on the download page that this is common
>>> practise for Lua releases.
>>>
>>> The response to this bug in 5.2.2 which leads to a crash and possibly
>>> memory corruption I just got from Red Hat Security Alert was "As
>>> Fedora would have rebased to upstream version 5.2.2, I do not know why
>>> the fix is not in there." which indicates they missed how Lua doesn't
>>> update released tarballs.
>
> There is an official bugs/patches page: <http://www.lua.org/bugs.html>
> which any reasonably experienced Lua user consults from time to time.
> BTW there has an item on 5.2.3 in there for almost five months.
>
> What you are telling us is that the maintainer of the Fedora package
> is either (a) unaware of that page (b) under the impression that
> a published tarball with a minor release number should change its
> contents without changing its name. I cannot imagine a Debian
> or Ubuntu maintainer being so sloppy.
>
> There is no substitute for meticulous attention to detail, especially
> if one is a package maintainer. A warning on the download pages
> would be precisely as useful as "may contain nuts" on a bag of mints.
>