|
|
|
|
|
|
by azornathogron
1538 days ago
|
|
|
Regarding tracking bad CL ranges: Ecosystems (outside Google) which use versioned packages have the same requirement. If some version of a package you depend on has a bug then you might detect it yourself if you're lucky but more likely you won't detect it, so you need to use tools to centrally track known-bad versions and check whether your systems are affected. Package repositories support removing versions that are known to be bad for the same reason. Most of the attention in these areas is on security related bugs right now, but that's really just a sub-category of the overall problem. I don't think the bad-versions tracking outside Google is any less complicated than the bad-CL-ranges tracking inside Google. |
|
|