Re: [SM-DEVEL] Security Patch Version Stuffs

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Paul,
On Sunday, February 04, 2007, Paul wrote:
>>>> I was cleaning up my -users and -devel folders, and stumbled
>>>> across an email that questioned a security patch. Not the patch
>>>> itself, but the deployment of it. The user had assumed it'd
>>>> upgrade his 1.4.8 to 1.4.9a. While this isn't going to happen for
>>>> a security patch, it did make me start thinking.

>>>> I was thinking of identifying each patch with a specific code
>>>> that is unique across versions. I was thinking of a bitwise
>>>> operation of some sort, along with a deployment script.

>>>> Take for example, you're running 1.4.9a. The version of your
>>>> SquirrelMail is 1.4.9a patch L0. We release a security update,
>>>> which we tag as 1, so your patch level becomes L1. Later we
>>>> release a second patch which is tagged as 2, so applying both
>>>> patches takes you to L3. Later we release another patch, which is
>>>> patch 4. Now if you've been a good SquirrelMail admin, your patch
>>>> level is now L7. However, say you missed patch 2, your patch
>>>> level is L5. More details on bitwise operations can be found on
>>>> wikipedia [1] for those unfamiliar with them.

>>> Sounds like a neat idea, but how would this affect people who are
>>> running 1.4.9a (when the current version is, say, 1.4.12) and
>>> instead of upgrading, they just take all the security patches that
>>> are released and apply them....??

>> We can provide the "scripts" as a small package to download. The
>> patch level can be kept outside of the SQM code, and stored in a
>> .php file.

> OK, but my question is more about what the meaning of patch levels is
> when the main SM version is older.  If L0 starts with SM 1.4.10, and
> if we start at L0 again with SM 1.4.11, then managing patch levels for
> SM 1.4.10 beyond the release of SM 1.4.11 is either very ambiguous or
> quite a lot of maintenance, especially if we do it for every release
> separately.

You don't reset the patch level number.  Maybe "level" was a bad term,
I guess just a "patch number".  The numeric just increases.  It's also
not sequential either, otherwise bitwise math wouldn't work right. For
example:

  Patch 1:  00000001
  Patch 2:  00000002
  Patch 3:  00000004
  Patch 4:  00000008
  Patch 5:  00000010
  Patch 6:  00000020
  Patch 7:  00000030

If all the above patches were installed, you'd get a patch "level" of
0000003F.

> So if we do the opposite and never reset back to L0, then if there
> were five levels before 1.4.11 was released, does 1.4.10-L6 imply
> that only security patches are applied in L6, or is there any other
> fixes from 1.4.11 included in it from 1.4.11?

Probably only security fixes should be supplied as patches like this.

> What if L8 does not apply cleanly to 1.4.10? etc....

Then the patch "level" isn't increased in your files, and a report
would be generated to tell you something wasn't right.

This was originally a "random thought".  I get them often, and can
usually be dismissed by chuckling at me and pointing.  I think this
might be one of those ideas that can probably be sent to the black
hole, unless there is a genuine interest.

- --
Jonathan Angliss
<jo...@sq...>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)

iD8DBQFFxsCHK4PoFPj9H3MRAmCIAKD7MspzGPDVUK3UpovajVlLW45uoACgvr2E
P1poNsEZt+9XBOE7PMvGIVw=
=QI+l
-----END PGP SIGNATURE-----