Hi Gaurav, There are still commits almost every week in libzmq and even more frequently in other zeromq projects. Even the most mature such as CZMQ and Zyre continue to evolve. So, yes CVEs are very likely to be actively corrected and, due to the community architecture, it is also very likely that the correction will come at the same time as the detection itself.
From the start, the versioning of ZMQ has been blurry because the main usage (and the automated verifications in the CI chain) encourage all the user to checkout the master branch and go from there. I could quote the zguide (https://zguide.zeromq.org/docs/chapter6/#The-ZeroMQ-Process-C): « It’s quite an interesting effect of the process: the git master is almost always perfectly stable. » For the development of Ingescape (https://github.com/zeromq/ingescape), we’ve been updating all the dependencies to libzmq, czqm and zyre for each major version by using specific commits rather than versions. I agree that it may be confusing not having a regularly updated versioning. This is also an obstacle to using common packaging solutions to keep the ZeroMQ stack up-to-date. But the community and the contribution process are open to people who would like to manage this versioning for everyone else. BR, Stéphane ˻ > Le 15 mai 2023 à 12:42, Gaurav Gupta <eng.gupt...@gmail.com> a écrit : > > Hi Shannen, > > Thanks for your mail! > > I understand that development is slowed. So, just to confirm, if any CVE is > reported on libzmq 4.3.4, will it be actively fixed? > > Regards, > Gaurav > > On Fri, May 12, 2023 at 5:25 PM Shannen Saez <shannenlap...@gmail.com > <mailto:shannenlap...@gmail.com>> wrote: >> ZeroMQ is considered stable and unfortunately development has slowed since >> Pieters passing. If there's any features you would like to see developed >> please make a suggestion or open a pull request. >> >> On Fri, 12 May 2023, 5:48 pm Gaurav Gupta, <eng.gupt...@gmail.com >> <mailto:eng.gupt...@gmail.com>> wrote: >>> Hi, >>> >>> We use ZMQ comprehensively in our application. However, it's been more than >>> 2 years since libzmq 4.3.4 was released. >>> >>> Kindly update if any plan to release new libzmq version, any timelines >>> would be appreciated >>> >>> Regards, >>> Gaurav >>> >>> -- >>> zeromq-announce mailing list >>> zeromq-annou...@lists.zeromq.org <mailto:zeromq-annou...@lists.zeromq.org> >>> https://lists.zeromq.org/mailman/listinfo/zeromq-announce >> >> -- >> zeromq-announce mailing list >> zeromq-annou...@lists.zeromq.org <mailto:zeromq-annou...@lists.zeromq.org> >> https://lists.zeromq.org/mailman/listinfo/zeromq-announce > _______________________________________________ > zeromq-dev mailing list > zeromq-dev@lists.zeromq.org > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
_______________________________________________ zeromq-dev mailing list zeromq-dev@lists.zeromq.org https://lists.zeromq.org/mailman/listinfo/zeromq-dev
