lördag 16 september 2017

Software updates and versioning

When publishing software, it is custom to update software version when releasing an update. Why would you just silently replace a released software package with an updated one without changing version? In most cases this means that users downloading the package for the first time will get the latest package, but users that have downloaded the software previously will receive no notification about an update (assuming that there is an upgrade mechanism such as apt, yum or dnf, or in the Windows world maybe a custom software updater). If the update isn't worth pushing out to all users, why not just wait with pushing out the change until next official release? I don't know, but it feels like hiding something. Or maybe the publisher is just clueless. The only thing I could think of that would justify doing this, is if the software installation package has some minor issue (or completely broken thus preventing any installation). But not updating version numbers is just, well... weird.

This is what Jagex is doing with their RuneScape NXT client. The 2.2.4 version was released April 03 2017. But the package downloaded in August had a game binary with modification date 2017-07-12 and when downloaded in September, the game binary has a modification date of 2017-09-01. The package still has the same 2.2.4 version and there is no note in the change log. Checksum also differs on the deb package, causing at least at some point apt to complain about wrong checksum (somebody forgot to update the repodata when pushing out the new package?).

Curiously the July and September versions have the same file size, meaning that the binary maybe only has been recompiled, possibly with different settings. Of course some bits could have been flipped by purpose here and there, who knows?

A binary diff shows the following:

On the second row, c47e has been changed to e47e, meaning that the entry point of the program has been relocated (this can also be checked more easily with "readelf -h"). Large parts of the rest of the file is then also different. No library changes detected, though (checked with ldd).

Curiously also the changelog gzip file has been updated, but not the content.

If you really care about your users, I suggest bumping at least package version numbers and updating the change log. Having a versioned package with checksum in a repository is a mechanism to make users trust that they are downloading the correct file and not some rougue one, maybe hacked or man-in-the-middled file.

Anyway, I've updated the Fedora rpm with the latest changed package in the unofficial Fedora Runescape repository.

Read about the Fedora repo in my earlier blog post or here: https://johanh.net/runescape.html