| 1 |
On Wed, 10 Jan 2018 22:46:04 +0200 |
| 2 |
Mart Raudsepp <leio@g.o> wrote: |
| 3 |
|
| 4 |
> On Wed, 2018-01-10 at 22:38 +0300, Peter Volkov wrote: |
| 5 |
> > On Wed, Jan 10, 2018 at 9:31 PM, Aaron W. Swenson |
| 6 |
> > <titanofold@gentoo. |
| 7 |
> > org> wrote: |
| 8 |
> > > Title: GnuCash 2.7+ Breaking Change |
| 9 |
> > |
| 10 |
> > Aaron, but why do we need this news item? 2.7 version is a |
| 11 |
> > development version that is not supposed to be used by end users. As |
| 12 |
> > far as I understand this backup is a temporary measure until stable |
| 13 |
> > release will be out. It's much better to have this version package |
| 14 |
> > masked. Then in package mask comment we could note the need for |
| 15 |
> > backup. |
| 16 |
> |
| 17 |
> 2.6 is insecure by 400+ ancient webkit-gtk security vulnerabilities, |
| 18 |
> we can't responsibly wait anymore. 2.7.3 was tested by Aaron (who |
| 19 |
> uses it daily) to work quite nicely. |
| 20 |
> I want to last rite gnucash-2.6 used webkit-gtk before the month is |
| 21 |
> over, as the maintainer of webkit-gtk, and if 2.7 isn't there, 2.6 |
| 22 |
> will simply be fully masked as well along it. |
| 23 |
|
| 24 |
I assume that the motivation to get 2.7 stabilized early it to protect |
| 25 |
users from potentional damages caused via webkit-gtk security |
| 26 |
vulnerabilities. However, provided that I use GnuCash to display only |
| 27 |
local web data (generated reports) I feel much more comfortable |
| 28 |
to entrust my data to the stable 2.6 version rather than unstable 2.7 |
| 29 |
about which the upstream says: |
| 30 |
|
| 31 |
"Unstable (development) releases are for testing purposes only. They |
| 32 |
contain the newest features and improvements, but may also contain |
| 33 |
serious bugs still. Don't install these releases for everyday use." [1] |
| 34 |
|
| 35 |
"Due to the possibility of data corruption, unstable releases should |
| 36 |
only be used on a copy of live GnuCash data." [2] |
| 37 |
|
| 38 |
I think generated reports are typical use of webkit in GnuCash. Are |
| 39 |
attack vectors so severe also in this case? |
| 40 |
|
| 41 |
Thank you. |
| 42 |
|
| 43 |
1. http://gnucash.org/download.phtml |
| 44 |
2. https://wiki.gnucash.org/wiki/Development_Process |
| 45 |
|
| 46 |
Robert |
| 47 |
|
| 48 |
|
| 49 |
-- |
| 50 |
Róbert Čerňanský |
| 51 |
E-mail: openhs@×××××××××.com |
| 52 |
Jabber: hs@××××××.sk |
Archives