Thanks Andrew. Ok. I'll take a look at it for the Debian packages.
From the packagers point of view, it would be really helpful to have
some kind of security issue notification channel, where packagers can
subscribe. Is there something for qpid that I'm not aware of?
Cajus
Am 27.08.2012 17:48, schrieb Andrew Stitcher:
On Mon, 2012-08-27 at 09:32 +0200, Cajus Pollmeier wrote:
Hi,
while Debian Wheezy is in the freeze process, there was a security
issue found that affects 0.16:
http://www.openwall.com/lists/oss-security/2012/08/09/6
That means that I've to apply the fix to 0.16. The question is: what
should I do with the SONAME of the affected library (libqpidbroker)
-
which exposes a method with a changed interface in this case?
Is there a SONAME proposal to not conflict with later versions of
qpidd?
I don't think that we are currently proposing any upstream library
versioning at all. As far as I remember the library versioning in the
Fedora and Red Hat Enterprise packages are not the same as the
versioning you will get if you just run make install on the upstream
package.
Similarly we've not been especially careful to change library
versions
consistent with ABI so I perhaps you should do whatever works for
your
packaging.
I would note that libqpidbroker really exposes only an entirely
private
interface though so perhaps it's versioning isn't that significant -
it's not actually separable from qpidd anyway.
Andrew
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
