Libsodium versioning

[5c30]

Hello,

I am aware of libsodium's "point"/"stable" release version scheme. I would like to humbly request that it be reconsidered. It is problematic to have multiple software releases re-using the same version number, as has been previously noted[0]. The recent CVE has brought one of the problems it causes to the forefront: 1.0.20-stable is vulnerable, but 1.0.20-stable -- the same version -- is not, depending on what day it was downloaded. At time of writing (more than 4 days after disclosure), there has not yet been a release with a new version number. These issues are especially relevant to security-sensitive software such as a cryptographic library.

I would like to suggest one path that could be followed to an improved scheme. Any upcoming version (using the next version numbers as an example), could:

• Release as 1.21.0.
• The current "stable release" scheme could then be a 1.21 branch. From that could be released 1.21.1, 1.21.2, etc. when minor (or especially security-relevant!) fixes are made. Even continuing the daily snapshots with a 1.21.YYYYmmdd version would be an improvement over re-releasing the same version many times.
• The current "point release" scheme would then be a bump to 1.22, and the aforementioned branching technique leads to stable releases 1.22.1, 1.22.2, etc.

Note that this allows more than one stable version to be maintained.

I realize any such change is likely a significant adjustment to whatever release processes exist. I believe it is worth the effort, but that's too easy to say when it's not my own effort. :)

I hope that opening this discussion leads to input from others. I don't believe I'm the only one to find the current release process difficult to work with.

Thanks for libsodium and taking the time to read this.

[0] #1124