2.3.3 is not backward compatible with 2.3.2

[vsoskov]

There are changes to public methods that make it not backward compatible.
For example
func (src *AuthenticationOk) Encode(dst []byte) []byte {

func (src *AuthenticationOk) Encode(dst []byte) ([]byte, error)

There are vulnerabilities in the previous version which are fixed in 2.3.3 but it can't be used.

[jackc]

The signature change is part of the fix. Sorry, no good way around it.

[vsoskov]

I understand there is no "good way" around it. The problems is this way is in most cases just unusable. Can we do something that can be used? For example just panic on error if in almost all cases error never happens.
Also if you change signatures don't we have to increase major version?

[jackc]

I understand there is no "good way" around it. The problems is this way is in most cases just unusable. Can we do something that can be used? For example just panic on error if in almost all cases error never happens.

I considered panic. That removes the command injection vulnerability, but replaces it with a DoS vulnerability.

Also if you change signatures don't we have to increase major version?

As I understand it, incompatibilities due to security fixes are generally considered allowable.

---

Also, this change was made over 6 months ago. If we were to change the method signature back now, it wold break everyone who has already made the change.