lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


However, that doesn't change the fact that 3 major distributions
completely forgot that they need to check for those patches, and then
also seemed unaware there was a security exploit among them (relevant to
script-level sandboxing).

Therefore I can only reiterate my suggestion to improve the website with
an obvious notice on the download site, and possibly prominent security
announcements somewhere about actual discovered exploits. Distributors
can patch, but if they aren't aware when something notable to be patched
comes around (security issue) it's kind of a useless fact.

On 08/26/2014 11:18 PM, Jay Carlson wrote:
> On Aug 26, 2014, at 2:57 PM, Roberto Ierusalimschy <roberto@inf.puc-rio.br> wrote:
> 
>> Would our sin be smaller if our single crash bug had no
>> known patch?
> 
> No. We especially love localized patches. They aren't sins, they're acts of benevolence. We want to use those patches. Because this patch doesn't really have a name (nor does 5.2.3+patch have a name) fewer people knew about this good work.
> 
> Full releases are a pain, and I don't want you to avoid disclosing experimental or one-off patches because it would imply a full release.  
> 
> Perhaps after a week or so on the mailing list, you could say: "OK, let's give our patch from 2014-04-01 the name '5.2.3 post1'." I think search engines would index that, so anybody could find your mailing list message. Obviously, 5.2.4 would later roll up those patches.
> 
> But having patches at all is better than keeping clean naming and no patches. 
> 
> With software at this level of stability, it is sometimes difficult to do anything with names. In retrospect, I made a mess once from not wanting to name things. I had patched "1.8.0p6" to "1.8.0r1", "1.8.0r2", ending up at "1.8.1". Then I stopped naming things. Later, the next maintainer had to skip to "1.8.3" because there were so many third-party patchsets prematurely naming themselves "1.8.2". Mea culpa.
> 
> In the age of git, it's not such a big deal for a third party to play "patch secretary". De facto, a Debian maintainer has always been the secretary of last resort.
> 
> Jay
>