lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 10 Jul 2020 09:07:09 -0700
From:   Junio C Hamano <gitster@...ox.com>
To:     Derrick Stolee <stolee@...il.com>
Cc:     git@...r.kernel.org, Linux Kernel <linux-kernel@...r.kernel.org>,
        git-packagers@...glegroups.com
Subject: Re: [ANNOUNCE] Git v2.28.0-rc0

Derrick Stolee <stolee@...il.com> writes:

> On 7/9/2020 5:40 PM, Junio C Hamano wrote:
>> An early preview release Git v2.28.0-rc0 is now available for
>> testing at the usual places.  
>
> This might be part of your new process, or it might be an
> oversight. It seems that GIT-VERSION-GEN did not update with
> this RC, so the built version will still have a 2.27 start [1].
>
> This differs from previous rc's [2].

Sorry, I screwed up.  Thanks for a set of sharp eyes.

I however think that there is no practical problem other than for
those who "grep DEF_VER GIT-VERSION-GEN" and base their action on
the result.  If somebody is building from the tarball created by
"make dist" (be it done by me and uploaded to k.org or done by
somebody else from a clone of my repository), there would be the
"version" file included in the tarball that would override the
DEF_VER setting in GIT_VERION_GEN.  If somebody is building from
a clone of my repository, GIT_VERSION_GEN runs "git describe" to
find out which version it is, without using DEF_VER.

The only three unrealistic classes of users that may be affected
are:

 - The ones that single-branch cloned from me _with_ --no-tags, so
   that "git describe" is run but cannot find what version it is.

 - The ones that _somehow_ cloned from me _without_ having any
   version of git that can run "git describe" in the repository.

 - The ones that receives a tarball that was created by running
   "make dist" in the directory that resulted from extracting the
   official tarball and then removed the ./version file included in
   the official tarball.

For the people in the first two classes, GIT-VERSION-GEN would fail
to use "git describe" to find which version it is building, and end
up using DEF_VER.  We can call the third kind a crippled/sabotaged
tarball---without the involvement of the person who extracted the
official tarball, munged the resulting directory and then made a
different tarball by running "make dist" in it, the builders would
not see DEF_VAR being wrong.

Thanks anyway.  I'll try to be more careful when tagging -rc1

Powered by blists - more mailing lists