zlib
zlib copied to clipboard
madler
Please make new release
@madler: It is possible to release a new build with all build and CVE-2022-37434 fixes...? A 1.2.12.1 or 1.2.13?
It is really important to have a solution to current 1.2.12.
Tickets/PRs:
- https://github.com/madler/zlib/issues/404
- https://github.com/madler/zlib/issues/604
- https://github.com/madler/zlib/pull/607
- https://github.com/madler/zlib/issues/608
- https://github.com/madler/zlib/issues/609
- https://github.com/madler/zlib/issues/613
- https://github.com/madler/zlib/pull/614
- https://github.com/madler/zlib/issues/615
- https://github.com/madler/zlib/issues/617
- https://github.com/madler/zlib/issues/618
- https://github.com/madler/zlib/issues/620 + https://github.com/Esri/zlib/commit/05b33dd27dbbfc9360d5c2430e228d7dc48f92f6
- https://github.com/madler/zlib/issues/622
- https://github.com/madler/zlib/issues/623
- https://github.com/madler/zlib/pull/624
- https://github.com/madler/zlib/issues/628
- https://github.com/madler/zlib/issues/629
- https://github.com/madler/zlib/issues/631
- https://github.com/madler/zlib/pull/632
- https://github.com/madler/zlib/issues/635
- https://github.com/madler/zlib/pull/638
- https://github.com/madler/zlib/pull/639
- https://github.com/madler/zlib/pull/644
- https://github.com/madler/zlib/pull/645
- https://github.com/madler/zlib/issues/646
- https://github.com/madler/zlib/issues/660
- https://github.com/madler/zlib/issues/661
- https://github.com/madler/zlib/pull/662
- https://github.com/madler/zlib/issues/668
- https://github.com/madler/zlib/issues/672
- https://github.com/madler/zlib/pull/677
In more:
- https://github.com/madler/zlib/pull/557
- https://github.com/madler/zlib/pull/657
- https://github.com/madler/zlib/pull/681
- https://github.com/madler/zlib/pull/691
About GitHub:
- https://github.com/madler/zlib/pull/492
- https://github.com/madler/zlib/pull/506
Thanks in advance.
Linked to:
- https://github.com/madler/zlib/issues/422
cc: @gvollant.
Though fix for that CVE seems to be buggy: https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1#commitcomment-80589094
@madler: Comments of:
- @bagder: https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1#commitcomment-80589094
- @piru: https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1#commitcomment-80595833
Have you seen the issue of @winterqt:
- https://github.com/curl/curl/issues/9271
Have you seen the PR of @winterqt:
- https://github.com/madler/zlib/pull/688
Fix should be fixed in https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d . (This is an example of why to not release too hastily.)
@madler: Thanks!
Can you look all tickets specified here: https://github.com/madler/zlib/issues/686#issue-1323540821 to fix problems, and after, plan a new release?
@madler: Have you looked to solve all 1.2.12 cited bugs and create a new 1.2.12.1 or 1.2.13 release?
Please read at the top of this ticket...
- https://github.com/madler/zlib/issues/686
@madler: Have you looked to solve all 1.2.12 cited bugs and create a new 1.2.12.1 or 1.2.13 release?
Please read at the top of this ticket...
* [Please make new release #686](https://github.com/madler/zlib/issues/686)
Ping @madler
Fix should be fixed in 1eb7682 . (This is an example of why to not release too hastily.)
In reality, it's not. All distros were, are, and will be under pressure to backport CVE fixes quickly (if you think something is not worthy of a CVE, please dispute it with the organisation which publishes it -- they can note your disagreement and it'll affect how distros respond). All that then happens is we have to rely on word-of-mouth to get the extra fixup patches.
There is little motivation to wait for a release because we're never sure if one is going to come "soon" after the patch (it's rare that they happen, so it's unlikely to be worth waiting an extra week or two, as one is unlikely to happen then as well, from collective packagers' experience).
Besides, the last time we did have a release, a fixup release was needed afterwards anyway - which is fine (and normal!), but it just shows the nature of software development. Avoiding making releases won't stop people from using the patches.
The fact there's so many of these bugs being filed begging for a new release shows the current model isn't ideal.
If you want more confidence before making a release, my humble suggestion would be to communicate your plans to the community, and consider doing brief release candidates to smoke out issues. Distributions use these for testing but don't publish them to users.
I agree with everything @thesamesam said here. Alternatively if the project is going to move to a git snapshot model without releases it'd be good to know that so that distros can proceed accordingly. Releases are generally preferable though, and would help ensure that people picking up zlib directly rather than using a distro are getting security fixes, they're more likely to pick up a release when there are releases available.
Like I said earlier in the history of the bug it'd be really helpful for Debian, I keep expecting a new release for all the reasons people have outlined and there's other work queued up behind that.
@madler: Do not forget to solve all specified tickets here before the new release with CVE fix.
I don't know what exactly you mean by "specified" or "tickets", but I'm certainly not going to attempt to address all outstanding issues and pull requests before the next release.
@madler: Base on my first message, cleaned with closed.
Tickets/PRs:
- https://github.com/madler/zlib/pull/337
- https://github.com/madler/zlib/issues/404
- https://github.com/madler/zlib/issues/604
- https://github.com/madler/zlib/pull/614
- https://github.com/madler/zlib/issues/623
- https://github.com/madler/zlib/pull/632
- https://github.com/madler/zlib/pull/639
- https://github.com/madler/zlib/pull/644
- https://github.com/madler/zlib/pull/645
- https://github.com/madler/zlib/pull/677
In more:
- https://github.com/madler/zlib/pull/557
- https://github.com/madler/zlib/pull/657
- https://github.com/madler/zlib/pull/681
- https://github.com/madler/zlib/pull/691
About GitHub:
- https://github.com/madler/zlib/pull/492
Please note how to merge:
- https://github.com/madler/zlib/pull/607#issuecomment-1081374446
To look last updated Issues/PRs:
Issues:
- https://github.com/madler/zlib/issues?q=is%3Aissue+sort%3Aupdated-desc+is%3Aopen
PRs:
- https://github.com/madler/zlib/pulls?q=is%3Apr+is%3Aopen+sort%3Aupdated-desc
Those are all either not high enough priority to address for the next release, or have already been addressed. Note that the stuff in contrib is not part of zlib.
@madler but is the next release even planned at the moment? Is there any approximate date?
@madler has done the new build, the 1.2.13 has been released with the CVE-2022-37434 fix.
Thanks for this build and the merged commits from several people.
btw as for vs2022 I have made a PR for as well (and it includes ARM, ARM64, removes Itanium (seems it was removed back right after VS2010 and nobody noticed it, and finally also includes nuget packaging for developing using .NET that directly p/invokes the native library). That last update in my PR was needed as not all applications should depend on (possibly installed versions of zlib from package managers) as they might not find the exact version their application depends on.
