Re: [zeromq-dev] [zeromq-announce] When is new version of libzmq getting released?

[Bill Torpey]

Hi All:

FWIW, in my shop procedures to release code into prod are very strict, and 
versioning is a key part of that.  A single release consists of a dozen or so 
component packages — some of these are open-source project hosted by others  
(e.g., https://github.com/zeromq/libzmq ), 
some are open-source projects that we host ourselves (e.g., 
https://github.com/nyfix/OZ ), and some are 
internal closed-source projects.  

In order to build the open-source components, both our own and others’, we need 
to create a “parent” project that provides the required tooling, boilerplate, 
etc.  for our internal build process, and then pull in the open-source “core” 
(e.g., using git submodules).  For open-source projects that we don’t host 
ourselves, the submodule points to a fork that can contain commits that are 
essential to us, but for one reason or another have not (yet) been accepted 
upstream.

As you can imagine, this is all a major PITA. Anything that makes this process 
easier to track and audit is helpful.

I’ll also add that not having defined releases is a major impediment to 
incorporating ZeroMQ (or any other project) in a typical corporate environment.

Regards,

Bill


> On May 15, 2023, at 10:34 AM, Gaurav Gupta  wrote:
> 
> Thanks to all for sharing their inputs.
> 
> I would agree that it's time to create a new version. And 320 commits is not 
> a small number, even if there is no significant feature in those 320 commits.
> 
> Would request the team to please release a new version
> 
> Regards,
> Gaurav
> 
> On Mon, May 15, 2023 at 8:03 PM Matthias Gabriel 
>  > wrote:
> Sorry, there was a typo:
> 
> Maybe it helps turning the question around: what keeps us from releasinf the 
> next version (point release). If nobody has a good argument then it's time, 
> I'd say :)
> ___
> zeromq-dev mailing list
> zeromq-dev@lists.zeromq.org 
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev 
> 
> ___
> zeromq-dev mailing list
> zeromq-dev@lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev

___
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
https://lists.zeromq.org/mailman/listinfo/zeromq-dev

Re: [zeromq-dev] [zeromq-announce] When is new version of libzmq getting released?

[Trevor Bernard]

From what I can remember most libzmq releases were signaled by the
community and it sounds like we're at that point now.

On Mon, May 15, 2023 at 10:39 AM Gaurav Gupta  wrote:
>
> Thanks to all for sharing their inputs.
>
> I would agree that it's time to create a new version. And 320 commits is not 
> a small number, even if there is no significant feature in those 320 commits.
>
> Would request the team to please release a new version
>
> Regards,
> Gaurav
>
> On Mon, May 15, 2023 at 8:03 PM Matthias Gabriel 
>  wrote:
>>
>> Sorry, there was a typo:
>>
>> Maybe it helps turning the question around: what keeps us from releasinf the 
>> next version (point release). If nobody has a good argument then it's time, 
>> I'd say :)
>> ___
>> zeromq-dev mailing list
>> zeromq-dev@lists.zeromq.org
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
> ___
> zeromq-dev mailing list
> zeromq-dev@lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
___
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
https://lists.zeromq.org/mailman/listinfo/zeromq-dev

Re: [zeromq-dev] [zeromq-announce] When is new version of libzmq getting released?

[Gaurav Gupta]

 Thanks to all for sharing their inputs.

I would agree that it's time to create a new version. And 320 commits is
not a small number, even if there is no significant feature in those 320
commits.

Would request the team to please release a new version

Regards,
Gaurav

On Mon, May 15, 2023 at 8:03 PM Matthias Gabriel <
matthias.gabr...@etit.tu-chemnitz.de> wrote:

> Sorry, there was a typo:
>
> Maybe it helps turning the question around: what keeps us from releasinf
> the next version (point release). If nobody has a good argument then it's
> time, I'd say :)
> ___
> zeromq-dev mailing list
> zeromq-dev@lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
___
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
https://lists.zeromq.org/mailman/listinfo/zeromq-dev

Re: [zeromq-dev] [zeromq-announce] When is new version of libzmq getting released?

[Matthias Gabriel]

Sorry, there was a typo:

Maybe it helps turning the question around: what keeps us from releasinf the 
next version (point release). If nobody has a good argument then it's time, I'd 
say :)
___
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
https://lists.zeromq.org/mailman/listinfo/zeromq-dev

Re: [zeromq-dev] [zeromq-announce] When is new version of libzmq getting released?

[Matthias Gabriel]

I do agree that a tagged release is necessary to get updated versions included 
into the various distributions. Even though master is very stable, that's not 
enough.

I don't think an automated process is necessary though: as long as zeromq 
adheres to semver versioning (scheme suggested, but does it?), it's more 
complicated than counting commits.

maybe it helps turning the question around: what is necessary to release the 
next version (point release). If nobody has a good argument then it's time, I'd 
say :)
___
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
https://lists.zeromq.org/mailman/listinfo/zeromq-dev

Re: [zeromq-dev] [zeromq-announce] When is new version of libzmq getting released?

[Brett Viren]

Hi Stéphane and everyone,

I find libzmq master always works when I use it.  I have never had
problems developing against it.

But, that is not enough to overcome the "social problem" of infrequent
tagged releases.

For example, the version of libzmq distributed with Debian and
presumably other distros, is never going to be based on a non-tagged
commit.  At least that is what I assume - I don't know actual policy
here - but the current Debian packaging of libzmq does not seem to
include patches to bring in the many post-4.3.4 commits.

The lack of recent tagged releases has also been a hurdle in
advocating for ZeroMQ usage.

Actually, I think a lot of these problems would go away if the ZeroMQ
CI would be made to automatically bump up an "teeny version" or a
"commit version" number for every merge to libzmq master that passes
the tests.  It would take some initial work to get that auto-bump in
place, but once there this particular "social problem" would be gone.

There may be a "numerology" problem with my suggestion.  By my count
there has been 320 commits (maybe ~1/2 are merge commits) since 4.3.4
was tagged.  Having a release with a high "commit version number" like
"4.3.4.320" or high "teeny" version number "4.3.324" may "look weird"
to some folks.  But, I guess less "weird" than seeing 2+ years and
hundreds of commits since the last release.

-Brett.

On Mon, May 15, 2023 at 7:14 AM Stephane Vales via zeromq-dev
 wrote:
>
> Hi Gaurav,
>
> There are still commits almost every week in libzmq and even more frequently 
> in other zeromq projects. Even the most mature such as CZMQ and Zyre continue 
> to evolve. So, yes CVEs are very likely to be actively corrected and, due to 
> the community architecture, it is also very likely that the correction will 
> come at the same time as the detection itself.
>
> From the start, the versioning of ZMQ has been blurry because the main usage 
> (and the automated verifications in the CI chain) encourage all the user to 
> checkout the master branch and go from there. I could quote the zguide 
> (https://zguide.zeromq.org/docs/chapter6/#The-ZeroMQ-Process-C):
> « It’s quite an interesting effect of the process: the git master is almost 
> always perfectly stable. »
>
> For the development of Ingescape (https://github.com/zeromq/ingescape), we’ve 
> been updating all the dependencies to libzmq, czqm and zyre for each major 
> version by using specific commits rather than versions.
>
> I agree that it may be confusing not having a regularly updated versioning. 
> This is also an obstacle to using common packaging solutions to keep the 
> ZeroMQ stack up-to-date. But the community and the contribution process are 
> open to people who would like to manage this versioning for everyone else.
>
> BR,
>
>
> Stéphane
> ˻
>
>
>
> Le 15 mai 2023 à 12:42, Gaurav Gupta  a écrit :
>
> Hi Shannen,
>
> Thanks for your mail!
>
> I understand that development is slowed. So, just to confirm, if any CVE is 
> reported on libzmq 4.3.4, will it be actively fixed?
>
> Regards,
> Gaurav
>
> On Fri, May 12, 2023 at 5:25 PM Shannen Saez  wrote:
>>
>> ZeroMQ is considered stable and unfortunately development has slowed since 
>> Pieters passing. If there's any features you would like to see developed 
>> please make a suggestion or open a pull request.
>>
>> On Fri, 12 May 2023, 5:48 pm Gaurav Gupta,  wrote:
>>>
>>> Hi,
>>>
>>> We use ZMQ comprehensively in our application. However, it's been more than 
>>> 2 years since libzmq 4.3.4 was released.
>>>
>>> Kindly update if any plan to release new libzmq version, any timelines 
>>> would be appreciated
>>>
>>> Regards,
>>> Gaurav
>>>
>>> --
>>> zeromq-announce mailing list
>>> zeromq-annou...@lists.zeromq.org
>>> https://lists.zeromq.org/mailman/listinfo/zeromq-announce
>>
>>
>> --
>> zeromq-announce mailing list
>> zeromq-annou...@lists.zeromq.org
>> https://lists.zeromq.org/mailman/listinfo/zeromq-announce
>
> ___
> zeromq-dev mailing list
> zeromq-dev@lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
>
> ___
> zeromq-dev mailing list
> zeromq-dev@lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
___
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
https://lists.zeromq.org/mailman/listinfo/zeromq-dev

Re: [zeromq-dev] [zeromq-announce] When is new version of libzmq getting released?

[Stephane Vales via zeromq-dev]

Hi Gaurav,

There are still commits almost every week in libzmq and even more frequently in 
other zeromq projects. Even the most mature such as CZMQ and Zyre continue to 
evolve. So, yes CVEs are very likely to be actively corrected and, due to the 
community architecture, it is also very likely that the correction will come at 
the same time as the detection itself.

From the start, the versioning of ZMQ has been blurry because the main usage 
(and the automated verifications in the CI chain) encourage all the user to 
checkout the master branch and go from there. I could quote the zguide 
(https://zguide.zeromq.org/docs/chapter6/#The-ZeroMQ-Process-C):
« It’s quite an interesting effect of the process: the git master is almost 
always perfectly stable. »

For the development of Ingescape (https://github.com/zeromq/ingescape), we’ve 
been updating all the dependencies to libzmq, czqm and zyre for each major 
version by using specific commits rather than versions.

I agree that it may be confusing not having a regularly updated versioning. 
This is also an obstacle to using common packaging solutions to keep the ZeroMQ 
stack up-to-date. But the community and the contribution process are open to 
people who would like to manage this versioning for everyone else.

BR,


Stéphane
˻



> Le 15 mai 2023 à 12:42, Gaurav Gupta  a écrit :
> 
> Hi Shannen,
> 
> Thanks for your mail!
> 
> I understand that development is slowed. So, just to confirm, if any CVE is 
> reported on libzmq 4.3.4, will it be actively fixed?
> 
> Regards,
> Gaurav
> 
> On Fri, May 12, 2023 at 5:25 PM Shannen Saez  > wrote:
>> ZeroMQ is considered stable and unfortunately development has slowed since 
>> Pieters passing. If there's any features you would like to see developed 
>> please make a suggestion or open a pull request.
>> 
>> On Fri, 12 May 2023, 5:48 pm Gaurav Gupta, > > wrote:
>>> Hi,
>>> 
>>> We use ZMQ comprehensively in our application. However, it's been more than 
>>> 2 years since libzmq 4.3.4 was released.
>>> 
>>> Kindly update if any plan to release new libzmq version, any timelines 
>>> would be appreciated
>>> 
>>> Regards,
>>> Gaurav
>>> 
>>> -- 
>>> zeromq-announce mailing list
>>> zeromq-annou...@lists.zeromq.org 
>>> https://lists.zeromq.org/mailman/listinfo/zeromq-announce
>> 
>> -- 
>> zeromq-announce mailing list
>> zeromq-annou...@lists.zeromq.org 
>> https://lists.zeromq.org/mailman/listinfo/zeromq-announce
> ___
> zeromq-dev mailing list
> zeromq-dev@lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev

___
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
https://lists.zeromq.org/mailman/listinfo/zeromq-dev

Re: [zeromq-dev] [zeromq-announce] When is new version of libzmq getting released?

[Gaurav Gupta]

Hi Shannen,

Thanks for your mail!

I understand that development is slowed. So, just to confirm, if any CVE is
reported on libzmq 4.3.4, will it be actively fixed?

Regards,
Gaurav

On Fri, May 12, 2023 at 5:25 PM Shannen Saez 
wrote:

> ZeroMQ is considered stable and unfortunately development has slowed since
> Pieters passing. If there's any features you would like to see developed
> please make a suggestion or open a pull request.
>
> On Fri, 12 May 2023, 5:48 pm Gaurav Gupta,  wrote:
>
>> Hi,
>>
>> We use ZMQ comprehensively in our application. However, it's been more
>> than 2 years since libzmq 4.3.4 was released.
>>
>> Kindly update if any plan to release new libzmq version, any timelines
>> would be appreciated
>>
>> Regards,
>> Gaurav
>>
>> --
>> zeromq-announce mailing list
>> zeromq-annou...@lists.zeromq.org
>> https://lists.zeromq.org/mailman/listinfo/zeromq-announce
>>
>
> --
> zeromq-announce mailing list
> zeromq-annou...@lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-announce
>
___
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
https://lists.zeromq.org/mailman/listinfo/zeromq-dev