Re: Recommendations for upgrading for SQL-Ledger users

[John Hobbs <..hidden..>]

Chris Travers wrote:
> Hi all;
>
> Most of us in the community are frustrated with the issues that have
> plagued LSMB 1.2.x.  I wanted to send in my recommendations and ask
> for other comments.
>
> 1.1.x:
> SQL-Ledger 2.6.x (and earlier) users should upgrade at their earliest
> convenience at least as far as 1.1.12.  A large number of serious
> security issues have been addressed here which make authentication
> bypass and/or login hijack.  However LSMB 1.1.x has a large number of
> SQL-injection issues inherited from SQL-Ledger which could be used to
> cause all manner of problems.
>
> Please note that only serious authentication bypass or data integrity
> issues are likely to be fixed in 1.1.x.
>
> 1.1.x represents a simple, easy-to-hit target.  Code refactoring and
> re-engineering had not yet begun, but there are known security issues
> that cannot be easily fixed without causing a great number of bugs.
> These include SQL injection issues which could be used by a malicious
> user to alter the audit trails to suggest that someone else posted a
> transaction (that is an embezzlement risk).
>
> One other benefit of upgrading at least this far is the fact that you
> will get fair warning if there are data integrity issues in your
> SQL-Ledger installation which could cause problems later.
>
> 1.2.x:
> THis release is a bit or a problem release and will probably go down
> as our equivalent of Apache 2.0.  There are compelling reasons to
> upgrade:  we resolved all known SQL-injection issues and added many
> additional measures to prevent arbitrary code execution.  However, the
> upgrade is not smooth and one can expect some possible problems.
>
> If you have any sort of real authentication enforcement needs, we
> suggest upgrading to this version.  This is not a smooth process.  But
> we as a community will do what we have to in order to help make this
> work for you.
>
> 1.3.x is not yet out but it will be the the logical migration point
> for SQL-Ledger 2.8.x users.  We expect it to be far less problematic
> than 1.2.x simply because the most problematic changes in our road to
> 2.0 were in that release.  There are likely to be some issues with
> custom templates, however.
>   
Chris, thank you for the explanation. Can I get a little clarification 
please.

If I convert my 2.6.x SL to 1.1.12 LS and I don't feel I have  
compelling reasons to go to 1.2 at this time, would I be converting down 
the road to a more stable 1.2 and then to 1.3? Or would there be a 
migration path of 1.1.12 to 1.3 directly? And finally, (I know it's 
ready when it's ready) do you have any feel for the time lines?

My reason for asking is that my fiscal year starts in July and I would 
like to be operational July 1 with the best, most stable state I can be 
in at that time. Any upgrades I apply after that must be relatively 
trouble-free. I am looking for information that would help me formulate 
a strategy.

Thanks for all your efforts with this.

John

--
John Hobbs
Chryxus Corporation