[SM-DEVEL] Security Patch Version Stuffs

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I was cleaning up my -users and -devel folders, and stumbled across an
email that questioned a security patch.  Not the patch itself, but the
deployment of it.  The user had assumed it'd upgrade his 1.4.8 to
1.4.9a.  While this isn't going to happen for a security patch, it did
make me start thinking.

I was thinking of identifying each patch with a specific code that is
unique across versions.  I was thinking of a bitwise operation of some
sort, along with a deployment script.

Take for example, you're running 1.4.9a. The version of your
SquirrelMail is 1.4.9a patch L0. We release a security update, which
we tag as 1, so your patch level becomes L1. Later we release a second
patch which is tagged as 2, so applying both patches takes you to L3.
Later we release another patch, which is patch 4. Now if you've been a
good SquirrelMail admin, your patch level is now L7. However, say you
missed patch 2, your patch level is L5. More details on bitwise
operations can be found on wikipedia [1] for those unfamiliar with
them.

This would make it easy to implement a small script to "check updates"
by simply posting the version, and patch level to a website, and it
returning the possible security updates.  Similar scripts could be
used to download a .sqp (really a tarball with a version file, and the
patch) and apply the patch, and level to the code.

Views?  Or should I just go back to bed?

- --
Jonathan Angliss
<jo...@sq...>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)

iD8DBQFFwuL6K4PoFPj9H3MRAmNgAJ9jExDMON0Z+3XbgIcPLjdtHWab2QCg2mdd
/r0lUV6ITeQw49tazY6Vd7k=
=OMhN
-----END PGP SIGNATURE-----