Is the version unambiguous?

[chadwhitacre]

Is the Fernet spec's versioning unambiguous? The spec on current master says:

This document describes version 0x80 (currently the only version) of the fernet format.

However, the current master is the sixteenth commit since the doc started, and it was called 0x80 when it started, too. What did those commits change? Should some of them have bumped the version?

The current lack of tags further suggests that version 0x80 is ambiguous.

[chadwhitacre]

From a skim of the 16 commits, here are the ones that jump out as potentially version-bumping changes:

ca8b345 pins to CBC, meaning that implementations of 1fa950a's 0x80 don't guarantee CBC.

58d2827 appears to change from nanoseconds to seconds—the commit message ("new format") and diff (wait—"gAAAAA" is new?! 😳 ) in 115850d further suggest a version-bump-worthy change.

3bbe466 "document checking version byte"—so it is new

c55d0d4 diff suggests that base64url was indicated in at least some specific locations in the original 0x80—was it so indicated everywhere?

0514d7d clear algorithm change

was it so indicated everywhere?

0250c59 Answer: no.

[chadwhitacre]

Is the version unambiguous?

The answer appears to be "yes."

In which case, the action item here is to ... what? Clean up Fernet's versioning somehow. By applying new version numbers to the version-bumping commits above? By dropping back to Git SHA for version? By adopting semantic versioning?

[chadwhitacre]

To be explicit: this issues makes auditing somewhat more difficult.

[chadwhitacre]

Clean up Fernet's versioning somehow.

By tagging 0250c59 as 0x80 and adopting a versioning policy for future changes?