On Sat, Jan 24, 2009 at 2:36 AM, Victor Duchovni <victor.ducho...@morganstanley.com> wrote: > You seem to be out of touch I am afraid. Just look at what many O/S > distributions do. They adopt a new OpenSSL 0.9.Xy release from time to > time (for some initial "y") and back-port security fixes never changing > the letter. One can't actually tell from "openssl version" what version > one is running and which fixes have been applied. > > Why am I back-porting patch-sets to 0.9.8i? Is that because there is no > demand for bugfix releases? There is indeed demand for real bugfix > releases, just that people have gotten used to doing it themselves, > but this is not very effective and is difficult to audit.
It is not that I am unaware of this, I was pointing out what we actually do. But you do have a fair point and I will take it up with the team. However, I wonder how this is going to pan out? Since historically pretty much every release has been prompted by a security issue, but also includes new features and non-security bugfixes, in order to release 0.9.8j the way you want us to, we would also have to test and release security updates for 0.9.8 - 0.9.8i, for a total of 10 branched versions. I think this is asking rather a lot of volunteers! Don't suggest that we should release feature/bugfix versions less often, I think we already do that less often than we should. Perhaps the answer is that we security patch every version that is less than n months old, and end-of-life anything before that? Suggestions for reasonable values of n? --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com