Thread: [Winmerge-development] WinMerge security bug
Windows visual diff and merge for files and directories
Brought to you by:
christianlist,
grimmdp
From: Kimmo V. <ki...@wi...> - 2010-08-30 15:34:53
|
See bug #3056008 http://winmerge.org/bug/3056008 It is about dynamically loading DLL files. The report doesn't specify where the problems are but there is link to tool that should show problematic places? Like I already commented to bug I have no interest (or even tools) to do new 2.12.x releases. But before release this should be analyzed if there is a real problem... Regards, Kimmo |
From: Tim G. <ti...@ge...> - 2010-08-30 18:13:20
|
Hi all! > It is about dynamically loading DLL files. The report doesn't specify > where the problems are but there is link to tool that should show > problematic places? It must be a bigger problem, since many IT news sites wrote about the problem: Microsoft warns of DLL vulnerability in applications http://www.h-online.com/security/news/item/Microsoft-warns-of-DLL-vulnerability-in-applications-1064584.html Microsoft tool for DLL vulnerability interferes with some applications http://www.h-online.com/security/news/item/Microsoft-tool-for-DLL-vulnerability-interferes-with-some-applications-1069540.html Greetings, Tim |
From: Kimmo V. <ki...@wi...> - 2010-08-31 18:19:55
|
Hi, > It must be a bigger problem, since many IT news sites wrote about the > problem: Seems to be a major f*ckup of MS. The bug reporter gave more details and the vulnerability is in MS VS2003 runtime DLLs! So nothing we can do to fix it. And I doubt MS will update VS2003 runtimes anymore. Our only option for "fix" for 2.12.x would be to update to VS 2005 or VS 2008 runtimes. Which would be quite a pain. I'm not sure we have sorted out the runtimes update for 2.13.x yet. Haven't seen new bug reports against latest experimental but that may not tell much... So it is pretty much out of the question to do the update for "stable" release. So our option for "fixed" WinMerge would be to release 2.14.x stable release. Regards, Kimmo |
From: T. G. <ti...@ge...> - 2010-09-01 12:07:24
|
Hi! > So our option for "fixed" WinMerge would be to release 2.14.x stable > release. It would be also a "we are not dead" sign! :) Greetings, Tim ___________________________________ NOCC, http://nocc.sourceforge.net |
From: Kimmo V. <ki...@wi...> - 2010-09-01 15:03:12
|
Hi, >> So our option for "fixed" WinMerge would be to release 2.14.x stable >> release. > > It would be also a "we are not dead" sign! :) I know you meant this with humor. But looking at our situation it is not funny at all. Just look at our changelogs and SVN log. There is very little happening for past months. And creating a release requires lots of work from many people. We are releasing software for millions of people to use so it is not something we can take lightly! I know we discussed about this in spring when we decided to start the WinMerge 3 effort. And I've written some forum posts. But the fact is discussions and thinking about subject is not code committed to SVN. Also the current trunk situation is something between totally broken everywhere and working just great depending on who you listen. I've unfortunately lost my own "touch" to the situation so I'm getting very confused about where we are. And so far I've seen very rare objective opinions about this. So what opinion others have? Are we in totally unreleasable state or perhaps almost releasable? Meaning you could release it for few million users and put your name on it? It would be very good to get all the fixes and improvements for users. I'm all for it. But we must have reasonably stable code we are releasing. We cannot make it bug-free or implement everybody's wishes. But it MUST work for majority of people. Not just for couple of developers. If we can get some kind of agreement about our current status and what is broken we can at least decide what to do. What are bugs/problems we are too embarrassed to release? Regards, Kimmo |
From: Kimmo V. <ki...@wi...> - 2010-09-04 15:30:04
|
Hi, > I am not sure if the Trunk is really in a totally bad state! Look at the > download stats from the last experimental builds: > > * 2.13.13 = 7,189 downloads > * 2.13.12 = 13,341 downloads > * 2.13.11 = 9,513 downloads > > This are much more downloads as in the past (and not only because > 2.13.12 was a time at the front page). So more people test the > experimental builds as in the past. that's what I've been wondering too. There are quite lot of downloads and still no flood of (duplicate) bug reports. So it can't be *that* bad. But then we usually hear about lots of bugs only after the stable release. No matter how many experimental and beta releases we do. >> If we can get some kind of agreement about our current status and what >> is broken we can at least decide what to do. What are bugs/problems we >> are too embarrassed to release? > > Why not create a Branch for 2.14 and create a beta version from there? > We can promote the beta more then usually to get more tester. Then we > get maybe a clearer show on the state. Branch becomes painful after a while with our current SVN setup. You need to apply fixes twice and do decision which patch gets included where. To compile and test from both branches. Etc. Also after a while some parts of the code can diverge so much we need to fix same bug differently in trunk and branch. So branch means quite a lot of additional work and time spent. So I don't want branch yet. But what we can do is release beta release from the trunk. And put trunk into "soft freeze" until we create the release branch. Meaning that no high-risk commits. But we need pretty good baseline for this so that we don't need those high-risk commits to fix things. Regards, Kimmo |
From: Tim G. <ti...@ge...> - 2010-09-05 11:02:14
|
Hi! > So I don't want branch yet. But what we can do is release beta release > from the trunk. And put trunk into "soft freeze" until we create the > release branch. Meaning that no high-risk commits. But we need pretty > good baseline for this so that we don't need those high-risk commits to > fix things. Sounds also like a good idea. We only add bug fixes for current problems and thinks like translation updates. Greetings, Tim |
From: Tim G. <ti...@ge...> - 2010-09-01 19:34:46
|
Hi! > So what opinion others have? Are we in totally unreleasable state or > perhaps almost releasable? Meaning you could release it for few million > users and put your name on it? I am not sure if the Trunk is really in a totally bad state! Look at the download stats from the last experimental builds: * 2.13.13 = 7,189 downloads * 2.13.12 = 13,341 downloads * 2.13.11 = 9,513 downloads This are much more downloads as in the past (and not only because 2.13.12 was a time at the front page). So more people test the experimental builds as in the past. > If we can get some kind of agreement about our current status and what > is broken we can at least decide what to do. What are bugs/problems we > are too embarrassed to release? Why not create a Branch for 2.14 and create a beta version from there? We can promote the beta more then usually to get more tester. Then we get maybe a clearer show on the state. Greetings, Tim |