From: Jonathan A. <jo...@sq...> - 2007-02-05 05:29:18
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Paul, On Sunday, February 04, 2007, Paul wrote: >>>> I was cleaning up my -users and -devel folders, and stumbled >>>> across an email that questioned a security patch. Not the patch >>>> itself, but the deployment of it. The user had assumed it'd >>>> upgrade his 1.4.8 to 1.4.9a. While this isn't going to happen for >>>> a security patch, it did make me start thinking. >>>> I was thinking of identifying each patch with a specific code >>>> that is unique across versions. I was thinking of a bitwise >>>> operation of some sort, along with a deployment script. >>>> Take for example, you're running 1.4.9a. The version of your >>>> SquirrelMail is 1.4.9a patch L0. We release a security update, >>>> which we tag as 1, so your patch level becomes L1. Later we >>>> release a second patch which is tagged as 2, so applying both >>>> patches takes you to L3. Later we release another patch, which is >>>> patch 4. Now if you've been a good SquirrelMail admin, your patch >>>> level is now L7. However, say you missed patch 2, your patch >>>> level is L5. More details on bitwise operations can be found on >>>> wikipedia [1] for those unfamiliar with them. >>> Sounds like a neat idea, but how would this affect people who are >>> running 1.4.9a (when the current version is, say, 1.4.12) and >>> instead of upgrading, they just take all the security patches that >>> are released and apply them....?? >> We can provide the "scripts" as a small package to download. The >> patch level can be kept outside of the SQM code, and stored in a >> .php file. > OK, but my question is more about what the meaning of patch levels is > when the main SM version is older. If L0 starts with SM 1.4.10, and > if we start at L0 again with SM 1.4.11, then managing patch levels for > SM 1.4.10 beyond the release of SM 1.4.11 is either very ambiguous or > quite a lot of maintenance, especially if we do it for every release > separately. You don't reset the patch level number. Maybe "level" was a bad term, I guess just a "patch number". The numeric just increases. It's also not sequential either, otherwise bitwise math wouldn't work right. For example: Patch 1: 00000001 Patch 2: 00000002 Patch 3: 00000004 Patch 4: 00000008 Patch 5: 00000010 Patch 6: 00000020 Patch 7: 00000030 If all the above patches were installed, you'd get a patch "level" of 0000003F. > So if we do the opposite and never reset back to L0, then if there > were five levels before 1.4.11 was released, does 1.4.10-L6 imply > that only security patches are applied in L6, or is there any other > fixes from 1.4.11 included in it from 1.4.11? Probably only security fixes should be supplied as patches like this. > What if L8 does not apply cleanly to 1.4.10? etc.... Then the patch "level" isn't increased in your files, and a report would be generated to tell you something wasn't right. This was originally a "random thought". I get them often, and can usually be dismissed by chuckling at me and pointing. I think this might be one of those ideas that can probably be sent to the black hole, unless there is a genuine interest. - -- Jonathan Angliss <jo...@sq...> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) iD8DBQFFxsCHK4PoFPj9H3MRAmCIAKD7MspzGPDVUK3UpovajVlLW45uoACgvr2E P1poNsEZt+9XBOE7PMvGIVw= =QI+l -----END PGP SIGNATURE----- |