[Phpgroupware-developers] CVS branches tags policy ... risks for end users applying patches with cvs update ?

[Olivier Berger]

Hi.

<disclaimer>I'm a user and not a developper, so pardon me if I mess with
other people's business.</disclaimer>

I'm considering the process suggested for users to apply "security" or
other fixes patches in phpgroupware (namely using cvs updates in the
contents of the initial tarball)...


I'm wondering if there is a specific policy you apply for CVS tags
relating to the branches on released versions, and would like to be sure
that there's no issue with applying the "security" updates suggested by
the phpGroupware docs.


If I get the picture right, the updates concerning the 0.9.16-001
version are available using the Version-0_9_16-branch checkout tag.

But if I look at the sources, I'm surprised to see that only a few
elements are tagged with this branch tag...

So I assume that the policy in the project is to tag only when the HEAD
commits won't apply safely to "patches" on the released version any
longer, and assume, then, that every commits on the HEAD will be
properly applied to the user's installed versions when they do a cvs
update under their untar'd copy.


It seems quite optimistic to me, unless every phpgw developper
understand this very clearly, and I wonder if a more conservative
approach wouldn't be more secure for the users, that is to tag every
elements both with the release tag (Version-0_9_16-000) and the
corresponding branch tag (Version-0_9_16-branch), and potentially move
the branch tag on the HEAD branch at some time if HEAD modification
apply safely.


I hope I made my point clear enough, and am looking forward to hearing
from you.

Best regards.
-- 
Olivier BERGER <address@hidden>
Ingénieur Recherche - Dept INF
INT Evry (http://www.int-evry.fr)
OpenPGP-Id: 1024D/6B829EEC