1 |
On Wed, 10 Jan 2018 22:46:04 +0200 |
2 |
Mart Raudsepp <leio@g.o> wrote: |
3 |
|
4 |
> On Wed, 2018-01-10 at 22:38 +0300, Peter Volkov wrote: |
5 |
> > On Wed, Jan 10, 2018 at 9:31 PM, Aaron W. Swenson |
6 |
> > <titanofold@gentoo. |
7 |
> > org> wrote: |
8 |
> > > Title: GnuCash 2.7+ Breaking Change |
9 |
> > |
10 |
> > Aaron, but why do we need this news item? 2.7 version is a |
11 |
> > development version that is not supposed to be used by end users. As |
12 |
> > far as I understand this backup is a temporary measure until stable |
13 |
> > release will be out. It's much better to have this version package |
14 |
> > masked. Then in package mask comment we could note the need for |
15 |
> > backup. |
16 |
> |
17 |
> 2.6 is insecure by 400+ ancient webkit-gtk security vulnerabilities, |
18 |
> we can't responsibly wait anymore. 2.7.3 was tested by Aaron (who |
19 |
> uses it daily) to work quite nicely. |
20 |
> I want to last rite gnucash-2.6 used webkit-gtk before the month is |
21 |
> over, as the maintainer of webkit-gtk, and if 2.7 isn't there, 2.6 |
22 |
> will simply be fully masked as well along it. |
23 |
|
24 |
I assume that the motivation to get 2.7 stabilized early it to protect |
25 |
users from potentional damages caused via webkit-gtk security |
26 |
vulnerabilities. However, provided that I use GnuCash to display only |
27 |
local web data (generated reports) I feel much more comfortable |
28 |
to entrust my data to the stable 2.6 version rather than unstable 2.7 |
29 |
about which the upstream says: |
30 |
|
31 |
"Unstable (development) releases are for testing purposes only. They |
32 |
contain the newest features and improvements, but may also contain |
33 |
serious bugs still. Don't install these releases for everyday use." [1] |
34 |
|
35 |
"Due to the possibility of data corruption, unstable releases should |
36 |
only be used on a copy of live GnuCash data." [2] |
37 |
|
38 |
I think generated reports are typical use of webkit in GnuCash. Are |
39 |
attack vectors so severe also in this case? |
40 |
|
41 |
Thank you. |
42 |
|
43 |
1. http://gnucash.org/download.phtml |
44 |
2. https://wiki.gnucash.org/wiki/Development_Process |
45 |
|
46 |
Robert |
47 |
|
48 |
|
49 |
-- |
50 |
Róbert Čerňanský |
51 |
E-mail: openhs@×××××××××.com |
52 |
Jabber: hs@××××××.sk |