Re: Fwd: JEP 223: New Version-String Scheme

Tue, 04 Nov 2014 23:16:15 -0800 

On 05/11/2014 1:18 AM, Mirko Friedenhagen wrote:

And the scheme as I read it is MAJOR.FEATURE_MINOR.SECURITY.PATCHLEVEL and
FEATURE_MINOR and SECURITY are sort of independent, so a bigger minor might
be less secure.

Regards
Mirko
I gather that the assumption is that 9.2.20 would include all of the security patches of 9.1.20 and that one would never issue a 9.2.19 after 9.1.20 had been released and that security bugs would always be released on the higher versions first. A release pattern of 9.1.19, 9.2.19 and 9.2.20 followed by a backporting to 9.1.20 would be expected rather than 
9.1.19, 9.2.19, 9.1.20 followed by 9.2.20.
However, the second release pattern might come about if the 9.2.19 release is not widely adopted and there is a lot of interest in fixing the security problem in 9.1.19 since it is in more production environments or in the environment of the person doing the patching.
Version numbers in and of themselves do not guarantee security but at least you can easily see that a 9.2.21 release has at least some security flaw fixed that 9.2.20 did not but it does not have any added functionality. 

It also makes it easier to discuss security.
9.x.20 includes fixes security issues 6789,6897, 6899
9.x.21 includes fixes for security issues 6931,6944
If the security patches are backported, one could easily see that 9.1.21 and 9.2.21 have the same security patches applied (unless some only apply to new features in 9.2.20 that do not cause a security problem in 9.1.20). If none of the security patches in 9.2.21 apply to 9.1.20, does one still issue a 9.1.21 just to signal that it is just as secure as 9.2.21 even though none of the x.x.21 patches were applied?
When security patches apply to different major versions, one has to do a bit of reading to find out that 8.3.35 (actually 8.x.35) has the same security patches (at least the ones that apply) as 9.2.21(9.x.21). Security release 34 in release 8.x.34 is not as secure as 21 in 9.x.21 but 9.x.21 is just as secure as 8.x.35. 

Ron

--
Ron Wheeler
President
Artifact Software Inc
email: rwhee...@artifact-software.com
skype: ronaldmwheeler
phone: 866-970-2435, ext 102


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org

Reply via email to