Menu
▾
▴
Re: [Silgraphite-devel] Graphite2 release 1.3.5
|
From: Rene E. <re...@de...> - 2016-01-23 18:41:09
|
Hi, On Sat, Jan 23, 2016 at 11:08:37AM -0600, Martin Hosken wrote: > > Please. > > Ideally including which versions are affected (in my case I'd need to patch > > 1.1.3 and 1.2.4) and which patches fix it... > > There are no patches against 1.2.4 or 1.1.3. As Neil already said, we don't do that[1]. Whether it has a compatible interface or not is not relevant. > Both of these should be upgraded to 1.3.5 which has a compatible interface with all previous versions. If it doesn't then we will work to address that. This is not true. 1.1.3 is libgraphite2.so.2.0.0 1.2.4 and 1.3.5 are libgraphite2.so.3 so at least r-deps need to be rebuilt, too. Which is a no-go[2]. You want us to release a graphite2 and a libreoffice and a ... update? > I'm afraid we have not kept track of precisely which patches provide security level bug fixes and there are a lot between 1.1.3 and 1.3.5. In addition, the code has changed a lot between those versions such that identifying which security bugs apply on which version of the code and even whether the bug fix works in that context is a difficult path to take. Instead it's easier just to upgrade the library. > But it's not what makes most sense. > The project's policy is to ensure backward compatibility at the API level, but not at the feature level. We also don't separate security bug fixes from feature bug fixes. Sometimes the category is easy to identify but often it is not. Then you should start to separate them. Upgrading to a full new release is a no-go (and if API/ABI/SONAME changed is impossible mostly) Regards, Rene [1] except in cases where upstreams behave brokenly and didn't publicalize issues or patches themselves in a sensible manner. Like MySQL... This is NOT the rule. [2] It can happen in cases for [1] but it's rare. |