[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Lua [in]security and the distributors
- From: Jonas Thiem <jonasthiem@...>
- Date: Tue, 26 Aug 2014 19:27:28 +0200
There wasn't even a quick release of an update to 5.2.2 where this bug
was found originally, just 5.2.3 a few months later after this bug was
made public (though a patch was available to everyone willing to patch
themselves until 5.2.3 was finally released). So maybe doing a timely
updated release of the *current version* would be a first start before
bothering for the older ones like 5.1.
Also visibility of known issues seems to be a problem, it seems people
just don't check the bug page that often or assume it doesn't hold
security critical stuff that is unpatched in the download page's
latest tarball.
On Tue, Aug 26, 2014 at 7:02 PM, David Heiko Kolf <david@dkolf.de> wrote:
> Jonas Thiem wrote:
>> Enrico, sorry I blamed the distributors (which includes you?) so
>> publicly, it is just a bit sad to see how something published in April
>> 2013 is still unfixed everywhere.
>
> Well, to me the question would be whether this is entirely the
> distributors problem. For security related bugs it might help to release
> binary compatible new minor versions even of old Lua versions quickly
> after a fix is found. Especially of Lua 5.1 as it is probably still the
> most widely used version.
>
> Though if a distribution continues to use Lua 5.2.2 instead of 5.2.3 (as
> it sounds like in your original mail from 2014-08-21) then of course the
> fix won't be in there and it should be obvious to everyone familiar with
> program versions. (Released versions should never change).
>
> Best regards,
>
> David Kolf
>
>