search

mindsphere / mindconnect-lib

MindConnect Library (MCL) - Use the MindConnect Library (MCL) to securely connect your on-site device. By cloning or downloading this repository, you accept the Development License Agreement, which you can read by following the link https://developer.mindsphere.io/license.html.
https://documentation.mindsphere.io/MindSphere/resources/mindconnect-lib-v4/resources-mclib-overview.html
Other
25 stars 7 forks source link

Question on versioning strategy #11

Closed fmoessbauer closed 1 month ago

fmoessbauer commented 2 years ago

From the version numbers I guessed that this project uses semantic versioning. But this does not seem to be the case as breaking changes (e.g. minimal required versions of external dependencies) are updated on patch versions.

This makes it very hard to integrate this component in systems that use a Linux distribution as a base (like Industrial Linux). All non vendored (external) dependencies should be provided by the system to profit from security fixes in these libraries. Please note, that distros backport critical security fixes while keeping the ABI compatible, hence do not update the SOVERSION. By that, just by looking at the version number of e.g. curl on a debian buster, you cannot tell if the version is vulnerable.

With the MCL approach of bumping the minimal required versions of external components due to security arguments contradicts this and in the end makes deployments less secure.

Is this strategy actually intended, or is this just by accident and can be changed in the future? If not, please only require minimal versions based on your API requirements, but not on some pseudo security aspects.

siemens-developer commented 1 month ago

We have provided update for security fixes now. For versioning yes we follow Semantic Versioning, we will check for feasibility for proposed versioning.