From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 02D261F55B for ; Thu, 4 Jun 2020 15:58:19 +0000 (UTC) Received: from localhost ([::1]:37268 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jgsG1-0003mP-UI for normalperson@yhbt.net; Thu, 04 Jun 2020 11:58:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:46906) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jgs2o-0007Aq-SD for bug-gnulib@gnu.org; Thu, 04 Jun 2020 11:44:38 -0400 Received: from sprint-2.amdmi3.ru ([185.185.68.145]:27312) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jgs2n-0007Z8-Jh for bug-gnulib@gnu.org; Thu, 04 Jun 2020 11:44:38 -0400 Received: from amdmi3.ru (localhost [127.0.0.1]) by sprint-2.amdmi3.ru (Postfix) with SMTP id 518283D3B27 for ; Thu, 4 Jun 2020 18:44:34 +0300 (MSK) Received: by amdmi3.ru (nbSMTP-1.00) for uid 1000 amdmi3@amdmi3.ru; Thu, 4 Jun 2020 18:44:34 +0300 (MSK) Date: Thu, 4 Jun 2020 18:41:44 +0300 From: Dmitry Marakasov To: bug-gnulib@gnu.org Subject: Versioned releases Message-ID: <20200604154144.GB11553@hades.panopticon> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Received-SPF: none client-ip=185.185.68.145; envelope-from=amdmi3@amdmi3.ru; helo=sprint-2.amdmi3.ru X-detected-operating-system: by eggs.gnu.org: First seen = 2020/06/04 11:44:34 X-ACL-Warn: Detected OS = FreeBSD 9.x or newer [fuzzy] X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, NO_DNS_FOR_FROM=0.001, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-Mailman-Approved-At: Thu, 04 Jun 2020 11:58:15 -0400 X-BeenThere: bug-gnulib@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Gnulib discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnulib-bounces+normalperson=yhbt.net@gnu.org Sender: "bug-gnulib" Hi! Despite that gnulib homepage says "Gnulib does not make releases. It is intended to be used at the source level." gnulib is in fact packaged in quite a lot of distributions: https://repology.org/project/gnulib/versions Note that since there are no official versions maintainers have to invent versioning schemes which include "0", multiple date based and commit number based formats. There are known vulnerabilities for gnulib which also have to use something version-like to describe which gnulib versions are affected (these use dates in YYYY-MM-DD format): https://nvd.nist.gov/vuln/detail/CVE-2017-7476 https://nvd.nist.gov/vuln/detail/CVE-2018-17942 Note that it's impossible to match these against package versions due to inconsistent versioning scheme. So as you can see, even though there are no official versioned releases, people have to invent and use these to refer to specific gnulib commit ranges, and not having any consistency in these schemes results in e.g. inability to report vulnerable packages. So I suggest to fix this by introducing any kind of upstream versioning. Versions don't even need to have any meaning or be tied to specific events such as API breakages or adding new features (however using semver would probably be most useful for consumers), there's just need to be an official versioning scheme, and some eventual releases so people don't have to reside to inventing snapshot schemes. -- Dmitry Marakasov . 55B5 0596 FF1E 8D84 5F56 9510 D35A 80DD F9D2 F77D amdmi3@amdmi3.ru ..: https://github.com/AMDmi3