[postgis-devel] Can we put back GEOS 3.5 support in 3.0?

Regina Obe lr at pcorp.us
Tue Jan 29 16:06:41 PST 2019


> A worthy experiment!
Okay you guys are all sounding like me 1 year ago and I'm sounding like strk and Paul 1 year ago.  Pretty scary world we live in.
Well at least Komzpa is as insane as I remember he ever was, so the crazy person is now our stable point of reference.

Well it looks like strk has fixed gitlab -- Thanks strk :)  So one less compelling reason to support 3.5.
Has anyone fixed Fuzzie -- wanna fix Fuzzie?  I'm a bit drowned at this moment with having to learn new things so don't want to deal with anything that requires too much thinking for at least another couple of weeks.


> On Jan 24, 2019, at 9:50 PM, Darafei Komяpa Praliaskouski <me at komzpa.net> wrote:

> PostGIS 2.0..2.3.2 now has a CVE, let's see how quick vendors will pick it up:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18359 

> On Thu, Jan 24, 2019 at 2:20 AM Darafei "Komяpa" Praliaskouski <me at komzpa.net> wrote:
> To push libraries to get update, either:
>  - make downstream packages dependencies tighter (with each PostGIS release depend on current minor of GEOS);
>  - report a CVE / security bug, so that it's handled by security team (can become just a three-line backpatch though).

> On Thu, Jan 24, 2019 at 2:14 AM Paul Ramsey <pramsey at cleverelephant.ca> wrote:
> Well, there’s going to be some exciting news on the GEOS front next week, and hopefully it will bring everyone back to the table :) I don’t know how to break the packaging logjam though, as 
> there’s something about system libraries that defies makes everyone “go slow”. Which isn’t really fair, since we’ve done everything necessary to make things easy: the ABI never changes, there’s > never a reason to not just dump the latest GEOS into place. What can we do to convince packagers we are sincere?

> P

Sadly the only thing you can do is do micro updates like when 4.0 comes out let's just keep implementing the micro 4.1, 4.
That might serve to piss packagers more though than help confusing them as to what stable vs. feature enhancement is which means they'll think you are crazy and just won't ship you.

The problem is the more dependable you are the more people want to depend on you. The more people depend on you, the more people want to build there
things on top of you.  The more people want to build things ontop of you - you are now a system library too dangerous to touch because you are 
the big turtle and changing the big turtle can break the other turtles all the way down to the smallest turtle.


Thanks,
Regina



More information about the postgis-devel mailing list