Mosh: Time to cut a new release?

Created on 19 Apr 2018  路  24Comments  路  Source: mobile-shell/mosh

Last stable release was in July. There have been some useful features added to mosh, like --predict-overwrite and true color. Maybe its time to cut a RC in the hopes of moving towards a new stable release?

Most helpful comment

@cgull and I should make a plan for a new release and figure out who is going to do the work (since I know a lot of people want 24-bit colors and other features that are only in Git), but this last comment is so confusing to me. Mosh has so far never had a security hole and has been released and used by millions of people over the last seven years. Our security track record has so far (knock on wood) been a lot better than any of the other software in this area. Part of the reason we've achieved that track record is that we are conservative about adding new features and changing things. Getting nervous because we're not releasing a critical patch every month is... not the way we think people should be reasoning about security. :-)

All 24 comments

users of browsh could avoid compiling from source for true color support

@cgull the next Debian transition freeze will be on 2019-01-12. It is probably time to cut a release if you want a newer version of mosh to be in Debian buster. Especially if you plan to release one or two release candidates...

Hey @cgull , it'd be great to have a new release :)

I find it is often helpful to nominate and publish a release team for the next, N+1 release, then let a release-manager and/or that team nominate a target date and release milestones/goals/blockers. Just an idea. And recognising that everyone of course is a volunteer.

A release or RC would be great at this point. I think there are a lot of people that are looking for true color support without resorting to building from source.

Author of Browsh here, I know the pain of keeping people up to date. So in sympathy I offer the suggestion: Perhaps at least a roadmap or some rationale for the next release or lack thereof?

Seconding this, I get a bit nervous when it's been 2 years since the last release, especially for something involving remote code execution!

@cgull and I should make a plan for a new release and figure out who is going to do the work (since I know a lot of people want 24-bit colors and other features that are only in Git), but this last comment is so confusing to me. Mosh has so far never had a security hole and has been released and used by millions of people over the last seven years. Our security track record has so far (knock on wood) been a lot better than any of the other software in this area. Part of the reason we've achieved that track record is that we are conservative about adding new features and changing things. Getting nervous because we're not releasing a critical patch every month is... not the way we think people should be reasoning about security. :-)

@keithw @cgull Did you make progress on the plan? :)

Coming up on another 6 months since last comment; please make at least an alpha or candidate release to get the new features more tested!

Wondering if a release-manager has been nominated yet, or calls for volunteers for same.

Should this release from master be 1.3.3 or 1.4.0 based on semver rules?

@cgull @keithw @andersk friendly ping. are there any updates on cutting a new release?

Honestly, the progress of mosh development is so frustrating. The issues are piling and so does pull requests. I don鈥檛 mind compiling from source on the platform that I have control of.

The problem is from third party app that I rely on such as JuiceSSH & Terminus is still using release from THREE years ago. Can you imagine how long was that in this modern era?

I just want true color support. That鈥檚 it

Thank you
/RANT

I think there is room to fork the project at this point.

I think there is room to fork the project at this point.

Fork won't solve the 3rd party app problem, they always use version from official

Maybe we need to change our CI so that we upload a new "release" on every commit. For people who are asking for new releases, does that solve problems, or create new problems?

My thinking would be that this is not a great system for a security-focused piece of software -- it seems better for us to keep some control over the releases that people are running in the field. If the mere act of committing to master means pushing a release where we have to worry about a real-world impact from a hypothetical security hole, it seems like we will become even more conservative. I don't see a need for Mosh to be a leader on this before other security-minded software (OpenSSH, Chromium, OpenSSL) goes first.

But I mean of course but I would defer to @cgull . My understanding is that he plans to try to corral us towards a release sometime this year, with the hope of making Debian's next release (deadline likely to be early 2021). Commentators who lecture us about "modern" software development, would you also want the "modern" trend of monthly CVEs and emergency patches? :-) You are getting something in exchange for our conservatism -- a much better security track record than those other programs. It is not so black-and-white.

Maybe we need to change our CI so that we upload a new "release" on every commit. For people who are asking for new releases, does that solve problems, or create new problems?

It's not ideal, essentially everyone would be running code from development. Software versioning exists for a reason, a big one being stability and lack thereof in development code. I assume it would also be annoying for maintainers of package managers to always have to update on every commit.

I think you're thinking in the right direction, but honestly I don't think we need to go that far. Just cut a new version from master, let it sit as RC for some time, and release it as a new version.

All good points. I'm just thinking out loud here, and wonder in practice what additional stability/security come with an RC then a release. For anyone that asks about true color support or other new features, I've always been recommending to use master, without giving any warnings about stability/security. mosh is taking so few new features these days that master always feels stable to me, but I can certainly imagine how that wasn't true in mosh's past (and may not always be true in the future).

You bring up a good point about package maintainers. An RC is a strong signal to them to start to prepare a new package and to do whatever package-specific checks are needed (and then gives them time to provide feedback to us).

Is there any reasons to not tag an RC right now? (I guess it may signal that we're preparing to create a release when we actually aren't 馃槃 )

@keithw A very large fraction of those wanting a new release want it due to true color support, which is a relatively small patch (https://github.com/mobile-shell/mosh/pull/939/files). Do the security considerations still apply when doing a release just with a true color support?

FWIW, it seems the true color support was not merged directly: https://github.com/mobile-shell/mosh/pull/939#issuecomment-341920573

I just pushed your work, and some additional changes, to master.

I don't know how important the additional changes are, but I just tried a scratch build in Fedora with #939's patch, and it seems to work fine. I might ask Fedora's mosh maintainers to apply that, but of course a proper release would be nicer.

The rationale for release could be to add triaging bot and announce it. That can help mosh users with triaging and clarifying issues, most of which look like a support request or insufficient data.

Cutting a release once in a while is a good practice to calm users that the project is not dead, and security issues are still getting cared of. A pinned issue or a README.md might work for that as well.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

cshei picture cshei  路  5Comments

jscinoz picture jscinoz  路  7Comments

pravi picture pravi  路  5Comments

franzf picture franzf  路  5Comments

shibumi picture shibumi  路  5Comments