about
blog
tutorials
No re-use of version numbers in software development
Posted on January 30, 2010 by .
You certainly know that in software development, version numbers (e.g. 0.2.27) are used to identify a specific development version of a software product.
We, the TYPO3 Security Team recently had to work on an issue where the TYPO3 extension developer thought to be very smart in regards to the version number of his extension. We contacted him and reported a specific version number (like 0.2.27) to be vulnerable. After a few days, we faced a "new" version 0.2.27 of his extension cleaned up from vulnerabilities in the TYPO3 extension repository (TER).
Unfortunately, this happens quite occasionally in the TYPO3 world. It's a pity that the TYPO3 infrastructure (TER) does not prevent such overwritings of extension versions.
This is really bad development style. Let's assume you maintain a software product in which a bug occurs in version 1.3.15. You fix it, overwrite this version and now 1.3.15 is clean. A new report comes in again reporting 1.3.15 to be defective. You now face a problem. Which version contains the bug, the originally one or the modified one?
Additionally, in the TYPO3 world there's another drawback. The TYPO3 CMS has a so-called extension manager that allows to install/remove/update third party modules within the administration interface. This manager will not report a to be updated extension if you simply overwrite an already existing version.
Finally, considering security incidents, things get even worse. There are a lot of security service providers like Secunia that keep track of security advisories and so keeps you up-to-date on security vulnerabilites in products you might have deployed. Furthermore, there are "vulnerability databases" like NVD that describe and rate vulnerabilities in software products.
So in an security advisory you obviously want to clearly state that version 1.3.15 is vulnerable and version 1.3.16 is the fix for this vulnerability. You don't want to say that version 1.3.15 published until January 15, 2010 is vulnerable and any later available version of 1.3.15 is safe to use. This make things unnecessary complicated.
Do proper software development, do not overwrite version numbers! There are unlimited numbers to be used in version numbers; don't get stingy with new version numbers, you won't use them all up!
- 2 Comment(s)
FULL ACK
Yes, I totally agree with you, Marcus!
What I also dislike are breaking changes in patch-level releases (and also new features). It's one of the major advantages of TYPO3 that you can (usually) upgrade patch level releases without any problems. Pity that many EXT authors don't adopt his philosophy!
Steffen
Also a FULL ACK but...
... most of them don't care about propper versioning because they don't know how it's meant to be (also Kickstarter starts with 0.0.1 (which sucks IMHO) a lot of extensions never reach 1.0.0 even if they're stable). If you revise the code of TER extensions you'll see that a lot of the coders don't even care about CGL - maybe they simply don't know the corresponding docs.
For version numbers I think it's more a problem of comprehensible explanations since the info in the EM upload form is not that clear (there could be a link to a page on TYPO3.org with a small version number »How to«...) and one would just increase the number to get the upload done.
Andreas