Wasmtime GitHub notifications bot (May 09 2022 at 18:16): Wasmtime GitHub notifications bot (May 09 2022 at 18:16):cfallin commented on issue #4107:
Ben and I talked briefly about this PR today; first off, thank you for finding this issue! Given that the code has been replaced in the latest
main, the logic is slightly nontrivial (hence the fix carries some risk itself -- though I have no reason to believe it's incorrect, I also haven't looked at this code in a long time), and a new release with this code removed (0.37) should exist in ~10 days, I think on balance this probably not worth a point release. The impact is to debuginfo but not to the correctness of the generated code itself so this is not a potential security issue either.(For maximal clarity and to try to establish some precedent for later, if the code did still exist in
main, then we would take this as a fix and backport to a new point release, I think; the difference in that case is that it continues to be exposed to normal use and fuzzing onmainso the risk of issues in a unique side-branch is relatively smaller.)@bnjbvr does that sound reasonable? If not, happy to talk more :-)
Wasmtime GitHub notifications bot (May 09 2022 at 18:16):cfallin edited a comment on issue #4107:
Ben and I talked briefly about this PR today; first off, thank you for finding this issue! Given that the code has been replaced in the latest
main, and given the logic is slightly nontrivial (hence the fix carries some risk itself -- though I have no reason to believe it's incorrect, I also haven't looked at this code in a long time), and given a new release with this code removed (0.37) should exist in ~10 days, I think on balance this probably not worth a point release. The impact is to debuginfo but not to the correctness of the generated code itself so this is not a potential security issue either.(For maximal clarity and to try to establish some precedent for later, if the code did still exist in
main, then we would take this as a fix and backport to a new point release, I think; the difference in that case is that it continues to be exposed to normal use and fuzzing onmainso the risk of issues in a unique side-branch is relatively smaller.)@bnjbvr does that sound reasonable? If not, happy to talk more :-)
Wasmtime GitHub notifications bot (May 09 2022 at 18:55):bnjbvr commented on issue #4107:
That makes perfect sense to me, as discussed. We can keep on using our internal branch until the next release, as it's going to happen soon enough. Thanks for the nice summary!
Last updated: Oct 23 2024 at 20:03 UTC