Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Please make new release #686

Closed
Neustradamus opened this issue Jul 31, 2022 · 23 comments
Closed

Please make new release #686

Neustradamus opened this issue Jul 31, 2022 · 23 comments

Comments

@Neustradamus
Copy link

Neustradamus commented Jul 31, 2022

@madler: It is possible to release a new build with all build and CVE-2022-37434 fixes...?
A 1.2.12.1 or 1.2.13?

It is really important to have a solution to current 1.2.12.

Tickets/PRs:

In more:

About GitHub:

Thanks in advance.

Linked to:

cc: @gvollant.

@broonie
Copy link

broonie commented Aug 1, 2022

Please, this would be very helpful for Debian.

@0-wiz-0
Copy link

0-wiz-0 commented Aug 6, 2022

and CVE-2022-37434...

@vcunat
Copy link

vcunat commented Aug 8, 2022

Though fix for that CVE seems to be buggy: eff308a#commitcomment-80589094

@madler
Copy link
Owner

madler commented Aug 8, 2022

Fix should be fixed in 1eb7682 . (This is an example of why to not release too hastily.)

@Neustradamus
Copy link
Author

@madler: Thanks!

Can you look all tickets specified here: #686 (comment) to fix problems, and after, plan a new release?

@hyder365
Copy link

Any update?

@moralground
Copy link

Could we have the new release please?

@Neustradamus
Copy link
Author

@madler: Have you looked to solve all 1.2.12 cited bugs and create a new 1.2.12.1 or 1.2.13 release?

Please read at the top of this ticket...

@moralground
Copy link

@madler: Have you looked to solve all 1.2.12 cited bugs and create a new 1.2.12.1 or 1.2.13 release?

Please read at the top of this ticket...

* [Please make new release #686](https://github.com/madler/zlib/issues/686)

Ping @madler

@thesamesam
Copy link

thesamesam commented Sep 1, 2022

Fix should be fixed in 1eb7682 . (This is an example of why to not release too hastily.)

In reality, it's not. All distros were, are, and will be under pressure to backport CVE fixes quickly (if you think something is not worthy of a CVE, please dispute it with the organisation which publishes it -- they can note your disagreement and it'll affect how distros respond). All that then happens is we have to rely on word-of-mouth to get the extra fixup patches.

There is little motivation to wait for a release because we're never sure if one is going to come "soon" after the patch (it's rare that they happen, so it's unlikely to be worth waiting an extra week or two, as one is unlikely to happen then as well, from collective packagers' experience).

Besides, the last time we did have a release, a fixup release was needed afterwards anyway - which is fine (and normal!), but it just shows the nature of software development. Avoiding making releases won't stop people from using the patches.

The fact there's so many of these bugs being filed begging for a new release shows the current model isn't ideal.

If you want more confidence before making a release, my humble suggestion would be to communicate your plans to the community, and consider doing brief release candidates to smoke out issues. Distributions use these for testing but don't publish them to users.

@broonie
Copy link

broonie commented Sep 1, 2022

I agree with everything @thesamesam said here. Alternatively if the project is going to move to a git snapshot model without releases it'd be good to know that so that distros can proceed accordingly. Releases are generally preferable though, and would help ensure that people picking up zlib directly rather than using a distro are getting security fixes, they're more likely to pick up a release when there are releases available.

Like I said earlier in the history of the bug it'd be really helpful for Debian, I keep expecting a new release for all the reasons people have outlined and there's other work queued up behind that.

@madler
Copy link
Owner

madler commented Oct 6, 2022

Closing. This issue only refers to other issues.

@madler madler closed this as completed Oct 6, 2022
miklelappo added a commit to miklelappo/conan-center-index that referenced this issue Oct 11, 2022
@Neustradamus
Copy link
Author

@madler: Do not forget to solve all specified tickets here before the new release with CVE fix.

@madler
Copy link
Owner

madler commented Oct 12, 2022

I don't know what exactly you mean by "specified" or "tickets", but I'm certainly not going to attempt to address all outstanding issues and pull requests before the next release.

@madler
Copy link
Owner

madler commented Oct 12, 2022

Those are all either not high enough priority to address for the next release, or have already been addressed. Note that the stuff in contrib is not part of zlib.

@miklelappo
Copy link

@madler but is the next release even planned at the moment? Is there any approximate date?

@madler
Copy link
Owner

madler commented Oct 12, 2022

Real soon now.

@miklelappo
Copy link

Thanks for good news @madler!

conan-center-bot pushed a commit to conan-io/conan-center-index that referenced this issue Oct 14, 2022
* zlib: Fix CVE-2022-37434

Apply CVE fix and a fix of CVE fix

madler/zlib#686
openwrt/openwrt#10582

* Fix linter

* Add patches description

* Fix review
@Neustradamus
Copy link
Author

@madler has done the new build, the 1.2.13 has been released with the CVE-2022-37434 fix.

Thanks for this build and the merged commits from several people.

@miklelappo
Copy link

@madler thanks for a new release! Great job!

@AraHaan
Copy link
Contributor

AraHaan commented Oct 28, 2022

btw as for vs2022 I have made a PR for as well (and it includes ARM, ARM64, removes Itanium (seems it was removed back right after VS2010 and nobody noticed it, and finally also includes nuget packaging for developing using .NET that directly p/invokes the native library). That last update in my PR was needed as not all applications should depend on (possibly installed versions of zlib from package managers) as they might not find the exact version their application depends on.

Cogitri pushed a commit to dampsoft/conan-center-index that referenced this issue Nov 2, 2022
* zlib: Fix CVE-2022-37434

Apply CVE fix and a fix of CVE fix

madler/zlib#686
openwrt/openwrt#10582

* Fix linter

* Add patches description

* Fix review
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

10 participants