Subject: Re: Why commands in the source tree don't have version?
To: Bill Sommerfeld <firstname.lastname@example.org>
From: Jim Wise <email@example.com>
Date: 02/13/2001 21:39:11
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 13 Feb 2001, Bill Sommerfeld wrote:
>> We have very explicit versioning for each system command
>> and library:
>> 0.9, 1.0, 1.2, 1.2.1, 1.3, 1.3.1, 1.3.2, 1.3.3, 1.4, 1.4.1, 1.4.2,
>> 1.4.3, 1.4.4, 1.5, soon 1.5.1 and 1.6. It's called release number.
>For what I hope would be obvious reasons this is not sufficient in the
>presence of interim patches (such as the ones included in/referenced
>by security advisories).
>We can do better.
That's right. The upcoming system package system changes do what I
think is a good middle ground in this respect -- for example, the SSH
binaries shipped in 1.7 will show up in pkg_info as
where the last `.0' is specific to the package, and can be incremented
if a new version of the package is released to address a security
This will allow the user to quickly determine (via pkg_info) if a
security patch has been applied.
Since package tiny versions will be monotonically increasing on the
release branch, if the last security patch for NetBSD-1.7 upgraded the
base-secsh-bin package to version 1.7.4, when the 1.7.1 release is
shipped, it will come with version 184.108.40.206 (or 220.127.116.11 if other changes
have come in in the meantime) of this package.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (NetBSD)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----