[zeromq-dev] [zeromq-announce] When is new version of libzmq getting released?
Brett Viren
brett.viren at gmail.com
Mon May 15 14:43:38 CEST 2023
Hi Stéphane and everyone,
I find libzmq master always works when I use it. I have never had
problems developing against it.
But, that is not enough to overcome the "social problem" of infrequent
tagged releases.
For example, the version of libzmq distributed with Debian and
presumably other distros, is never going to be based on a non-tagged
commit. At least that is what I assume - I don't know actual policy
here - but the current Debian packaging of libzmq does not seem to
include patches to bring in the many post-4.3.4 commits.
The lack of recent tagged releases has also been a hurdle in
advocating for ZeroMQ usage.
Actually, I think a lot of these problems would go away if the ZeroMQ
CI would be made to automatically bump up an "teeny version" or a
"commit version" number for every merge to libzmq master that passes
the tests. It would take some initial work to get that auto-bump in
place, but once there this particular "social problem" would be gone.
There may be a "numerology" problem with my suggestion. By my count
there has been 320 commits (maybe ~1/2 are merge commits) since 4.3.4
was tagged. Having a release with a high "commit version number" like
"4.3.4.320" or high "teeny" version number "4.3.324" may "look weird"
to some folks. But, I guess less "weird" than seeing 2+ years and
hundreds of commits since the last release.
-Brett.
On Mon, May 15, 2023 at 7:14 AM Stephane Vales via zeromq-dev
<zeromq-dev at lists.zeromq.org> wrote:
>
> Hi Gaurav,
>
> There are still commits almost every week in libzmq and even more frequently in other zeromq projects. Even the most mature such as CZMQ and Zyre continue to evolve. So, yes CVEs are very likely to be actively corrected and, due to the community architecture, it is also very likely that the correction will come at the same time as the detection itself.
>
> From the start, the versioning of ZMQ has been blurry because the main usage (and the automated verifications in the CI chain) encourage all the user to checkout the master branch and go from there. I could quote the zguide (https://zguide.zeromq.org/docs/chapter6/#The-ZeroMQ-Process-C):
> « It’s quite an interesting effect of the process: the git master is almost always perfectly stable. »
>
> For the development of Ingescape (https://github.com/zeromq/ingescape), we’ve been updating all the dependencies to libzmq, czqm and zyre for each major version by using specific commits rather than versions.
>
> I agree that it may be confusing not having a regularly updated versioning. This is also an obstacle to using common packaging solutions to keep the ZeroMQ stack up-to-date. But the community and the contribution process are open to people who would like to manage this versioning for everyone else.
>
> BR,
>
>
> Stéphane
> ˻
>
>
>
> Le 15 mai 2023 à 12:42, Gaurav Gupta <eng.gupta26 at gmail.com> a écrit :
>
> Hi Shannen,
>
> Thanks for your mail!
>
> I understand that development is slowed. So, just to confirm, if any CVE is reported on libzmq 4.3.4, will it be actively fixed?
>
> Regards,
> Gaurav
>
> On Fri, May 12, 2023 at 5:25 PM Shannen Saez <shannenlaptop at gmail.com> wrote:
>>
>> ZeroMQ is considered stable and unfortunately development has slowed since Pieters passing. If there's any features you would like to see developed please make a suggestion or open a pull request.
>>
>> On Fri, 12 May 2023, 5:48 pm Gaurav Gupta, <eng.gupta26 at gmail.com> wrote:
>>>
>>> Hi,
>>>
>>> We use ZMQ comprehensively in our application. However, it's been more than 2 years since libzmq 4.3.4 was released.
>>>
>>> Kindly update if any plan to release new libzmq version, any timelines would be appreciated
>>>
>>> Regards,
>>> Gaurav
>>>
>>> --
>>> zeromq-announce mailing list
>>> zeromq-announce at lists.zeromq.org
>>> https://lists.zeromq.org/mailman/listinfo/zeromq-announce
>>
>>
>> --
>> zeromq-announce mailing list
>> zeromq-announce at lists.zeromq.org
>> https://lists.zeromq.org/mailman/listinfo/zeromq-announce
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
More information about the zeromq-dev
mailing list