You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The reason will be displayed to describe this comment to others. Learn more.
Yes, partially but not deliberately to exclude this one. Since several of the patches made since then had been of an API breaking nature I had limited the release to only contain the history up until the first breaking one. Priority was to get a release published without the memory safety concerns we had discovered, and I wanted to include fixes as far as I was aware of them. Good point, I think we can give the other merge PRs, include this one, another review to get a 0.21.2 out with all the other fixes I may have missed.
Edit: It should also be noted that some of the PRs built on-top of one of the commits after one of the breaking merges. I guess I could have applied more diligence in selecting the commits to include in the rewritten branch.
The reason will be displayed to describe this comment to others. Learn more.
Thanks for replying so quickly!
I had noticed that 0.21.0 had gotten yanked, and when I saw the changelog in this branch I figured some haste might have been involved to get a breaking bug out of crates.io ASAP.
The reason will be displayed to describe this comment to others. Learn more.
You can find some more information on the actual impact here: https://github.com/image-rs/image/blob/memory-safety-0.21.1/docs/2019-04-23-memory-unsafety.md but the tl;dr: a potential unsafety was hidden in past versions but more critically also relied on by assumptions within a new dependendency. Since that dependency was far more dangerous than its documentation made us believe, we decided that the usage in image should not look like an endorsement and we would like to at least be in a position where such unsafety can be patched by ourselves, or be proven more carefully. That reminds me, that I should add this to the official blog right now for more visibility.
2173f03There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @HeroicKatora, this commit did not end up in the 0.21.1 release, but it seems other changes from February did. Is this a deliberate choice?
2173f03There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, partially but not deliberately to exclude this one. Since several of the patches made since then had been of an API breaking nature I had limited the release to only contain the history up until the first breaking one. Priority was to get a release published without the memory safety concerns we had discovered, and I wanted to include fixes as far as I was aware of them. Good point, I think we can give the other merge PRs, include this one, another review to get a
0.21.2out with all the other fixes I may have missed.Edit: It should also be noted that some of the PRs built on-top of one of the commits after one of the breaking merges. I guess I could have applied more diligence in selecting the commits to include in the rewritten branch.
2173f03There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for replying so quickly!
I had noticed that
0.21.0had gotten yanked, and when I saw the changelog in this branch I figured some haste might have been involved to get a breaking bug out of crates.io ASAP.2173f03There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can find some more information on the actual impact here: https://github.com/image-rs/image/blob/memory-safety-0.21.1/docs/2019-04-23-memory-unsafety.md but the tl;dr: a potential unsafety was hidden in past versions but more critically also relied on by assumptions within a new dependendency. Since that dependency was far more dangerous than its documentation made us believe, we decided that the usage in
imageshould not look like an endorsement and we would like to at least be in a position where such unsafety can be patched by ourselves, or be proven more carefully. That reminds me, that I should add this to the official blog right now for more visibility.