[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LedgerSMB 1.2.21 release candidate 1 available



On Fri, Mar 12, 2010 at 8:27 AM, Armaghan Saqib <..hidden..> wrote:
> On Fri, Mar 12, 2010 at 11:31 AM, Chris Travers <..hidden..> wrote:
>>> I have recently seen a number of bug fix releases for LSMB 1.2 and was
>>> just wondering how long it is planned to keep providing fixes for LSMB
>>> 1.2 once 1.3 is released.
>>
>> Until PostgreSQL 8.0 is no longer supported.
>
> I am not familiar with postgres release/support cycle. Can somebody
> give me the idea how long 8.0 is supported?

Another 1-2 years is likely.
>
> What I was thinking is that with all these fixes (and probably more in
> future) 1.2 branch will become extremely stable and should be an ideal
> choice for deployment at places where the feature rich future releases
> (1.3, 2.0) are not needed.

1.3 honestly has more important security features.  Sometimes those
are relatively unimportant, but that's not often the case.  Some
security issues with 1.2 are only things which can be mitigated, not
entirely fixed.  With 1.3, we have the first release where it is
practical to fix any security issue reported.

>
> And if I remember correctly 1.2 also works perfectly with 8.3 (8.4?)
> so why it is tied to 8.0?

1.2 should work with any version of at least 8.0 or higher.  However,
the version has a number of issues which cannot be reasonably fixed
during a production branch.  These include XSRF vulnerabilities, and
some HTML injection possibilities.  While we have mitigated this risk
to the extent possible, fixing it requires substantial rewrites of
portions of the code.  Furthermore, 1.2 has no real permissions
enforcement.

These are probably OK in some circumstances, but the situation breaks
down quickly.

1.3 requires PostgreSQL 8.1 because we use features from that version
to manage and enforce permissions.  Once PostgreSQL 8.0 is fully
retired, I think it will be hard to justify installing something
which, as secure as we have made it all things considered, still falls
short in a number of important ways.  I would expect 2.0 (at least in
a minimalist form) to be out before 1.2 is retired entirely.  For
folks who don't need lots of features, a minimalist installation of
2.0 may be the way to go.

Best Wishes,
Chris Travers