[Development] Qt 4.6.5 and 4.7.6 release candidates available

Thiago Macieira thiago.macieira at intel.com
Thu Feb 21 01:34:19 CET 2013 

On quarta-feira, 20 de fevereiro de 2013 21.03.10, Turunen Tuukka wrote:
> >I understand how the previous releases were done, but I disagree on the
> >plan.
> >I want the changes in the 4.7 branch released and I don't want the
> >changes in
> >the 4.7-digia branch released unless the rest of the Qt Project is given
> >the
> >opportunity to review them.
> 
> These are all already reviewed as the items are from 4.7 or 4.8 branch.
> There is no new functionality and we are not proposing to sneak in
> something. To our knowledge e.g. 4.7.5 has been used quite much by the
> LGPL users, and from that perspective 4.7.6 is a natural addition.

There is no Qt 4.7.5, so open source users have not used it. If it was 
released as Open Source, please upload it to ftp.qt-project.org and upload the 
tag to qt.git. That settles the matter of the next version number.

The problem is that some of the backports from 4.8 were not approved by the Qt 
Project. Those are the ones I want to review and allow others to do the same. 
They were submitted to 4.8 (not 4.7) for a reason.

> As said before this does not represent the way branches should be handled,
> but in these circumstances it is seen as the best approach - especially
> since everything is ready and tested now - we just need to release
> packages and make sure right branch is found.
> 
> >> We have the packages ready and tested with minor fixes compared to RC1
> >>
> >>(21st
> >>
> >> Dec). If we re-do these packages it is a significant effort with very
> >> limited benefits.
> >
> >Sorry, the current packages are a complete no-go. They need to be
> >recreated
> >anyway, since they're missing the shmget security fix.
> 
> As the shmget security fix changes behavior and its risk rating, I would
> not like to put it into these.

Well, the security team reviewed the fix and approved its release. Any security 
fix should be included in releases made after the fix is provided. So I don't 
think you can make that call and the fix must be included.

If there's a problem with the fix, please raise it.

> And if we start re-do packages and release content we will delay work with
> 5.0.x and 5.1.x releases, which I am sure no-one wants.

Then we delay the 4.6 and 4.7 packages, which also gives us time to the review 
I'm asking for and even do the merge of the branches.

> >Let's compromise then: we release the 4.7-digia branch provided that the
> >4.7
> >branch also gets released within six months. Plan:
> >
> >1) the security fix is backported into the 4.x-digia branches
> 
> The fixes included should be the ones also in the RC1 in my opinion as the
> shmget contains functionality change prone to cause problems.

Well, then we have a problem because in my opinion, as the maintainer of the 
code in question, the chance of causing problems is outweighed by the security 
fix itself. If there's a problem with the security fix, then we need to deal 
with it immediately, not arbitrarily decide to exclude it from a release after 
announcing it.

You cannot make that call alone. What's more, we discussed the problem and the 
solution for two months in the security mailing list, which you're a part of. 
If there's a problem, please start a new thread on this mailing list so we can 
discuss it.

Meanwhile, either include the fix in the release or don't release.

> >2) we review all changes made to those branches that aren't in the
> >respective
> >4.x branch, with silent approval: if no one objects, the change is
> >approved
> 
> There is none of such to my knowledge.

You said above that there are (the 4.8 backports). If there weren't any, then 
the 4.x-digia branch would a subset of the corresponding 4.x branch and, so, 
the release would be made out of the 4.x branch instead.

> >3) we release from the 4.x-digia branch, with the public note of the
> >mistake
> >in the 4.7 version number
> 
> We can omit the -digia as it causes confusion.

Sorry, to be specific: we release 4.6.5 from the 4.6-digia branch and 4.7.6 
from the 4.7-digia branch. The releases themselves won't have the "-digia" 
suffix in their version numbers.

> >4) we merge the 4.x-digia branch into the 4.x branch and close the
> >4.x-digia
> >branch
> >
> >5) we release Qt 4.7.7 within six months
> >
> >I'd like to hear that there will be people allocated to doing the release
> >work
> >for the changes that went into the Qt 4.7 branch in the past year since
> >the
> >two branches diverged.
> 
> As mentioned these are already done when the original contributions have
> been made.

We've established that there are changes that are in those branches that were 
not approved to be in those branches, and that there are changes approved for 
the 4.7 release that are not getting included in the release.

-- 
Thiago Macieira - thiago.macieira (AT) intel.com
  Software Architect - Intel Open Source Technology Center
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.qt-project.org/pipermail/development/attachments/20130220/be955585/attachment.sig>

More information about the Development mailing list