Hi! Despite that gnulib homepage says "Gnulib does not make releases. It is intended to be used at the source level." gnulib is in fact packaged in quite a lot of distributions:
https://repology.org/project/gnulib/versions Note that since there are no official versions maintainers have to invent versioning schemes which include "0", multiple date based and commit number based formats. There are known vulnerabilities for gnulib which also have to use something version-like to describe which gnulib versions are affected (these use dates in YYYY-MM-DD format): https://nvd.nist.gov/vuln/detail/CVE-2017-7476 https://nvd.nist.gov/vuln/detail/CVE-2018-17942 Note that it's impossible to match these against package versions due to inconsistent versioning scheme. So as you can see, even though there are no official versioned releases, people have to invent and use these to refer to specific gnulib commit ranges, and not having any consistency in these schemes results in e.g. inability to report vulnerable packages. So I suggest to fix this by introducing any kind of upstream versioning. Versions don't even need to have any meaning or be tied to specific events such as API breakages or adding new features (however using semver would probably be most useful for consumers), there's just need to be an official versioning scheme, and some eventual releases so people don't have to reside to inventing snapshot schemes. -- Dmitry Marakasov . 55B5 0596 FF1E 8D84 5F56 9510 D35A 80DD F9D2 F77D amd...@amdmi3.ru ..: https://github.com/AMDmi3