Subject: Re: Why commands in the source tree don't have version?
To: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
From: Jim Wise <jwise@draga.com>
List: current-users
Date: 02/13/2001 21:39:11
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 13 Feb 2001, Bill Sommerfeld wrote:

>> We have very explicit versioning for each system command
>> and library:
>> 0.9, 1.0, 1.2, 1.2.1, 1.3, 1.3.1, 1.3.2, 1.3.3, 1.4, 1.4.1, 1.4.2,
>> 1.4.3, 1.4.4, 1.5, soon 1.5.1 and 1.6. It's called release number.
>
>For what I hope would be obvious reasons this is not sufficient in the
>presence of interim patches (such as the ones included in/referenced
>by security advisories).
>
>We can do better.

That's right.  The upcoming system package system changes do what I
think is a good middle ground in this respect -- for example, the SSH
binaries shipped in 1.7 will show up in pkg_info as

	base-secsh-bin-1.7.0

where the last `.0' is specific to the package, and can be incremented
if a new version of the package is released to address a security
problem.

This will allow the user to quickly determine (via pkg_info) if a
security patch has been applied.

Since package tiny versions will be monotonically increasing on the
release branch, if the last security patch for NetBSD-1.7 upgraded the
base-secsh-bin package to version 1.7.4, when the 1.7.1 release is
shipped, it will come with version 1.7.1.4 (or 1.7.1.5 if other changes
have come in in the meantime) of this package.

- -- 
				Jim Wise
				jwise@draga.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (NetBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE6ie/W2JhG4/qi8rQRAjasAKCfmOACq/65p3/2lIlCDjWjPtU1gwCfUZLA
yvNhR2m8GP93jecBMYtbyyQ=
=CUYN
-----END PGP SIGNATURE-----