Hi Stéphane and everyone, I find libzmq master always works when I use it. I have never had problems developing against it.
But, that is not enough to overcome the "social problem" of infrequent tagged releases. For example, the version of libzmq distributed with Debian and presumably other distros, is never going to be based on a non-tagged commit. At least that is what I assume - I don't know actual policy here - but the current Debian packaging of libzmq does not seem to include patches to bring in the many post-4.3.4 commits. The lack of recent tagged releases has also been a hurdle in advocating for ZeroMQ usage. Actually, I think a lot of these problems would go away if the ZeroMQ CI would be made to automatically bump up an "teeny version" or a "commit version" number for every merge to libzmq master that passes the tests. It would take some initial work to get that auto-bump in place, but once there this particular "social problem" would be gone. There may be a "numerology" problem with my suggestion. By my count there has been 320 commits (maybe ~1/2 are merge commits) since 4.3.4 was tagged. Having a release with a high "commit version number" like "4.3.4.320" or high "teeny" version number "4.3.324" may "look weird" to some folks. But, I guess less "weird" than seeing 2+ years and hundreds of commits since the last release. -Brett. On Mon, May 15, 2023 at 7:14 AM Stephane Vales via zeromq-dev <[email protected]> wrote: > > Hi Gaurav, > > There are still commits almost every week in libzmq and even more frequently > in other zeromq projects. Even the most mature such as CZMQ and Zyre continue > to evolve. So, yes CVEs are very likely to be actively corrected and, due to > the community architecture, it is also very likely that the correction will > come at the same time as the detection itself. > > From the start, the versioning of ZMQ has been blurry because the main usage > (and the automated verifications in the CI chain) encourage all the user to > checkout the master branch and go from there. I could quote the zguide > (https://zguide.zeromq.org/docs/chapter6/#The-ZeroMQ-Process-C): > « It’s quite an interesting effect of the process: the git master is almost > always perfectly stable. » > > For the development of Ingescape (https://github.com/zeromq/ingescape), we’ve > been updating all the dependencies to libzmq, czqm and zyre for each major > version by using specific commits rather than versions. > > I agree that it may be confusing not having a regularly updated versioning. > This is also an obstacle to using common packaging solutions to keep the > ZeroMQ stack up-to-date. But the community and the contribution process are > open to people who would like to manage this versioning for everyone else. > > BR, > > > Stéphane > ˻ > > > > Le 15 mai 2023 à 12:42, Gaurav Gupta <[email protected]> a écrit : > > Hi Shannen, > > Thanks for your mail! > > I understand that development is slowed. So, just to confirm, if any CVE is > reported on libzmq 4.3.4, will it be actively fixed? > > Regards, > Gaurav > > On Fri, May 12, 2023 at 5:25 PM Shannen Saez <[email protected]> wrote: >> >> ZeroMQ is considered stable and unfortunately development has slowed since >> Pieters passing. If there's any features you would like to see developed >> please make a suggestion or open a pull request. >> >> On Fri, 12 May 2023, 5:48 pm Gaurav Gupta, <[email protected]> wrote: >>> >>> Hi, >>> >>> We use ZMQ comprehensively in our application. However, it's been more than >>> 2 years since libzmq 4.3.4 was released. >>> >>> Kindly update if any plan to release new libzmq version, any timelines >>> would be appreciated >>> >>> Regards, >>> Gaurav >>> >>> -- >>> zeromq-announce mailing list >>> [email protected] >>> https://lists.zeromq.org/mailman/listinfo/zeromq-announce >> >> >> -- >> zeromq-announce mailing list >> [email protected] >> https://lists.zeromq.org/mailman/listinfo/zeromq-announce > > _______________________________________________ > zeromq-dev mailing list > [email protected] > https://lists.zeromq.org/mailman/listinfo/zeromq-dev > > > _______________________________________________ > zeromq-dev mailing list > [email protected] > https://lists.zeromq.org/mailman/listinfo/zeromq-dev _______________________________________________ zeromq-dev mailing list [email protected] https://lists.zeromq.org/mailman/listinfo/zeromq-dev
