[Greasemonkey] 0.4.2 - last call before open beta

Mark Pilgrim pilgrim at gmail.com
Fri Jul 29 09:47:31 EDT 2005


On 7/28/05, Aaron Boodman <zboogs at gmail.com> wrote:
> > Given the complete lack of any resemblance to or compatibility with
> > 0.4.0 or 0.4.1, could you please bump the version number to 0.5 before
> > unleashing it onto the world?
> 
> 0.4.2 is extremely similar to 0.4.1. ... Am I missing something?

0.4.0a1, 0.4.0a2, and 0.4.0a3 were vulnerable to the security holes
reported last week.

0.4.1a1 introduced an entirely new security architecture and broke
compatibility with Deer Park.  It also failed on application/xhtml+xml
pages, failed on invalid pages like Bloglines and Passport, failed if
a script called a function defined later

0.4.1a2 fixed the known bugs in 0.4.1a1 but removed the anonymous
function wrapper around user scripts, which broke compatibility with
19 of my scripts that used a top-level "return" statement.  It also
had a bizarre bug -- probably left over from 0.4.1a1 -- where function
foo() failed in certain cases, but var foo = function() always worked.

0.4.1a3 re-added the anonymous function wrapper and fixed all known
bugs in 0.4.1a2.

0.4.2a1 moved the location of the scripts directory outside the
extensions tree and deleted everybody's scripts, re-introduced an old
problem with forward-defined functions, and introduced a new scope
chain (which, as it turned out, introduced a new security
vulnerability).

0.4.2a2 re-fixed the problem with forward-defined functions, and fixed
migration routine.

0.4.1a3 changed the scoping chain, which closed the security
vulnerability introduced in 0.4.2a1 but broke at least 2 of my scripts
which I had modified for Deer Park compatibility under 0.4.1a3 or
0.4.2a1.


Please, for the love of God, let the 0.4.x.y.z line die a quiet and
well-deserved death, and call the next public release "0.5".

-- 
Cheers,
-Mark


More information about the Greasemonkey mailing list