[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Lua [in]security and the distributors
- From: Jay Carlson <nop@...>
- Date: Tue, 26 Aug 2014 17:18:25 -0400
On Aug 26, 2014, at 2:57 PM, Roberto Ierusalimschy <roberto@inf.puc-rio.br> wrote:
> Would our sin be smaller if our single crash bug had no
> known patch?
No. We especially love localized patches. They aren't sins, they're acts of benevolence. We want to use those patches. Because this patch doesn't really have a name (nor does 5.2.3+patch have a name) fewer people knew about this good work.
Full releases are a pain, and I don't want you to avoid disclosing experimental or one-off patches because it would imply a full release.
Perhaps after a week or so on the mailing list, you could say: "OK, let's give our patch from 2014-04-01 the name '5.2.3 post1'." I think search engines would index that, so anybody could find your mailing list message. Obviously, 5.2.4 would later roll up those patches.
But having patches at all is better than keeping clean naming and no patches.
With software at this level of stability, it is sometimes difficult to do anything with names. In retrospect, I made a mess once from not wanting to name things. I had patched "1.8.0p6" to "1.8.0r1", "1.8.0r2", ending up at "1.8.1". Then I stopped naming things. Later, the next maintainer had to skip to "1.8.3" because there were so many third-party patchsets prematurely naming themselves "1.8.2". Mea culpa.
In the age of git, it's not such a big deal for a third party to play "patch secretary". De facto, a Debian maintainer has always been the secretary of last resort.
Jay