Subject: [boost] Security bugs policy
From: Artyom Beilis (artyomtnk_at_[hidden])
Date: 2012-12-22 16:15:12
I would like to know if there is any policy about security bug fixes, updates or releases.
What I'm talking about.
Consider a security related bug discovered in boost library. For example:
For example recently reported bug in Boost.Locale that will be fixed in 1.53
I consider it security bug as an application that validates the input (checks if it is UTF-8) may accept
an invalid sequence.
Or very critical bug in UUID (fixed in 1.43):
That any application that used them may be target to UUID guessing.
These kind of bugs in general should be considered critical and somehow published, it may be also
important to backport the fixes to stable releases, because not everybody can move forward
and they may need to stick with older releases (as Boost is neither ABI nor API backward compatible
even between minor releases).
Annoucements of such bugs may be critical for example for stable Linux distributions that ship some older Boost
versions and likely need to backport such bug fixes to their own boost tree because Boost doesn't do it.
- Do we have any policy about it?
- If not we probably need one including backporting of security bug fixes to stable releases.
What brings me to other issues...
Should Boost support older releases with critical bug fixes/security bug fixes?
For how long time?
CppCMS - C++ Web Framework: http://cppcms.com/
CppDB - C++ SQL Connectivity: http://cppcms.com/sql/cppdb/
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk