SQLite User Forum

Considering using SQLite, question about support
Login
Hierarchical

Considering using SQLite, question about support

(1) By Fletch (FBumpus) on 2022-06-03 17:32:40 [link] [source]

Hey everyone,

I've recommended that we use SQLite at my current place of business, and the response has been positive.

They did want to know what the typical turn-around time for fixes would be for any critical (read: security) issues that might arise. I think their concern is whether a fix would take days, weeks or months for critical issues.

So, the question I have is, how long are typical turn-around times for critical bug fixes with SQLite?

Thank you! Fletch

(2) By Richard Hipp (drh) on 2022-06-03 17:45:15 in reply to 1 [link] [source]

Check the history of this Forum - most bugs are reported here. We almost always have a fix on trunk within 24 hours, and 8 hours is a more usual turn-around time.

Patch releases take a few days. There have been 5 patches in the current release cycle. Go check the timeline to see how long it takes between a bug being reported and a patch release coming out. It isn't very long.

You can enter into a paid support agreement for even faster response.

SQLite is not a particularly security sensitive library. Historical attacks against SQLite have involved allowing the attacker to run arbitrary SQL and/or submit SQLite database files with carefully crafted corruption. Most real-world applications do not allow either of those things and so are not vulnerable to bugs. Even so, we work hard to ensure that SQLite is not vulnerable to attack even if you do allow random passers-by on the internet to submit arbitrary database files and arbitrary SQL to run against those files. See also Defense Against Dark Arts.

(3) By anonymous on 2022-06-03 17:48:38 in reply to 1 [link] [source]

I'm just a user, but in my experience over the last 20 years or so, the support on SQLite is way better than any other software product that I'm aware of.

(4) By Simon Slavin (slavin) on 2022-06-04 01:50:58 in reply to 3 [source]

+1. I've seen the developers pay minute attention to detail over many years. And the developers act genuinely concerned at any bug-report, investigating whether there really is a bug, and fixing bugs faster than I've seen in any development team bigger than a single person.

It's worth mentioning that even though you're getting SQLite for free (unless you choose paid support) other organisations pay a lot of money for every bug to be fixed. SQLite is built into everything from your smartphone to airplanes. People care about it.

(5.1) By Stephan Beal (stephan) on 2022-06-04 05:06:58 edited from 5.0 in reply to 1 [link] [source]

They did want to know what the typical turn-around time for fixes would be for any critical (read: security) issues that might arise.

It seems likely that folks interested in such questions will also be interested to hear that this project does not track CVEs filed against it because so many of them are simply bogus. See this forum post for a statement on that topic and the remainder of the thread for more details.

Edit: see also: https://sqlite.org/cves.html

(6) By Trudge on 2022-06-04 17:45:07 in reply to 1 [link] [source]

I'm a Perl programmer and retired web developer. Was using MySQL locally for years until the native Apple Perl distro stopped supporting Perl DBI for MySQL. So been using SQLite for about 5 years now. I must say I am constantly amazed at what can be done with SQLite and this forum is a treasure of support and advice. I would say your worries about support are unfounded.