[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GNU Parallel Bug Reports Security Updates
|
From: |
Ole Tange |
|
Subject: |
Re: GNU Parallel Bug Reports Security Updates |
|
Date: |
Fri, 2 Sep 2011 16:46:42 +0200 |
On Wed, Aug 31, 2011 at 2:19 PM, Postmann Michael RBS sIT
<address@hidden> wrote:
> I'm using GNU Parallel on a production system.
Good to hear.
> For me it's vital to know if an update closes (possible) security holes,
> fixes some bugs or only has feature improvements.
Makes sense.
> On a production system it's a lot of overhead to update software as it needs
> to be tested before and there is always the risk of something not working,
> either during deployment or due to a new bug in the software itself, so the
> goal is to update only if there is a knwon security hole or if the bug
> affects a feature we use.
>
> So I would be grateful if you could at least state "This is a security
> update" or "This is just a bugfix/feature release" in your release mails
> because "Bug fixes and man page updates" is not specific enough to answer
> that question.
GNU Parallel can be installed as a normal user simply by copying the
perl script. It requires no extra privileges to run. Thus I have yet
to see a bug that had any security implications. If that should ever
happen (which I simply cannot imagine how) I promise to stress that in
the release notes.
The closest we have been to a security bug was that --trc could not
return files that had ' ' in them. And in my book that does not
qualify as a security bug: You might lose data if you depended on it
working - just like you might lose data due to other bugs.
Currently there is no funding for maintaining two separate branches:
"bug fix" and "new features". So bug fixes go into the newest version,
which also has new features that may be buggy.
The man page will give you an indication of what code has been touch
recently: If the option says 'alpha testing' it means that this code
was touched in this release. If the code says 'beta testing' the code
was touched in last release. Code that has not been touched for 2
releases is regarded as production quality and not marked as testing.
So if some features are critical to you, you may want to read the man
page for each release and hold off for 2 releases if the critical
features have been touched.
Every release has to pass a test suite before being released. So old
bugs should never creep back in (at least not if the bugs are
testable).
/Ole
- Re: GNU Parallel Bug Reports Security Updates,
Ole Tange <=