Hey :), On Tue, Mar 1, 2016 at 11:02 PM, Michael Biebl <mbi...@gmail.com> wrote: > Hi Carlos > > 2016-03-01 19:27 GMT+01:00 Carlos Garnacho <carl...@gnome.org>: >> I talked with them (Richard Hipp and Dan Kennedy) through private >> email. The solutions basically seemed to be: >> - Including a static sqlite copy wherever fts3_tokenizer() is needed >> - Using FTS5, which offers a way to customize FTS tokenizing that are >> not affected by this vulnerability >> - Adding such a similar way to FTS3 >> >> Basically, the vulnerability is completely intrinsic to the >> fts3_tokenizer() call with 2 arguments, they can't both fix the cve >> and keep offering it unchanged. Of those three options, all three >> require changes in the users of this call, plus for the third we'd >> have to wait for an hypothetical change, and wouldn't erase 3.11 from >> earth either... >> >> So I took solutions 1 and 2 wherever they apply. I also considered >> backporting the FTS5 changes to stable branches, but it's too many >> changes and too bleeding edge for me to be comfortable with it... > > Thanks for the explanation. I'm glad to hear that this embedded cope > copy is only a workaround for the stable 1.6 branch. > How far away is 1.7/1.8 from being declared stable?
I'm following the gnome schedule, so roughly 3 weeks :). The version numbers are totally misguiding, but we're supposedly RC1 now. Cheers, Carlos _______________________________________________ tracker-list mailing list tracker-list@gnome.org https://mail.gnome.org/mailman/listinfo/tracker-list
