[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Openexr-devel] Request for feedback: OpenEXR v2.2.1 .so version cha

From: Richard Addison-Wood
Subject: Re: [Openexr-devel] Request for feedback: OpenEXR v2.2.1 .so version changes
Date: Fri, 22 Dec 2017 14:30:30 +1300
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0

Basically, a 2.2.2 release would be in the correct form without the the questions about whether it is the correct variation.  Anyone looking to grab the latest 2.2.* would get the security fix as a drop-in replacement for 2.2.0.

A new 2.2.1 release would be in the correct form, but there is the possibility that the wrong variation as escaped during the window between the first release and the correction.  Issue #250 certainly shows that the original 2.2.1 has been picked up.

We would want to deprecate the 2.2.1 releases because of the ambiguity.  But, the new official corrected 2.2.1 would still be valid.

I am curious about the reasons why it might be preferable to only doing option a.

As a reminder, we really do want to keep the bumps in version info in the namespace and the SONAME synchronized.

On 12/22/17 12:29, Francois Chardavoine wrote:
Why do b) as well if we go with a) ?

On Thu, Dec 21, 2017 at 1:52 PM, Richard Addison-Wood <address@hidden> wrote:
How about both options a and b?

On 12/22/17 05:56, Wayne Wooten wrote:

 The Pixar team would prefer option A as well.

On December 21, 2017 at 8:48:15 AM, Larry Gritz (address@hidden) wrote:

I don't have a strong opinion, but the widely used convention is that you should bump the so version when link compatibility changes. I'm ok with (a), I don't think I've yet seen 2.2.1 in the wild.

On Dec 20, 2017, at 11:31 PM, Francois Chardavoine <address@hidden> wrote:

It has been brought to our attention that the decision to increment the so version as part of the 2.2.1 release may be problematic:

It would be great to get any additional community commentary on this. The .so version was bumped up mainly as an (admittedly conservative) precautionary measure, since it had been a long time since the previous release. Given that these are security vulnerability fixes, it's understandable that there might be in some cases a desire to be able to drop in replacement builds of OpenEXR without recompiling the host application.

Two options we can take are:
  • a)- patch the currently tagged 2.2.1 to no longer include an .so version change. This could be controversial unless we get feedback that no one has adopted 2.2.1 in any significant way yet (to avoid confusion around "what version of 2.2.1 did you use?")
  • b)- release a 2.2.2 version which is identical to 2.2.1, except with the older so version. This is somewhat inelegant, but likely cleaner than option a).

Does the community have any strong positions on this either way?

Larry Gritz

Openexr-devel mailing list

Openexr-devel mailing list

Openexr-devel mailing list

reply via email to

[Prev in Thread] Current Thread [Next in Thread]