[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LedgerSMB 1.2.21 releasecandidate 1 available



Hi,
Is anyone putting together Debian packages any longer?
Scott Martin
 
----------------original message-----------------
From: "Chris Travers" ..hidden..
To: ..hidden..
Date: Fri, 12 Mar 2010 09:02:53 -0800
-------------------------------------------------
 
 
> On Fri, Mar 12, 2010 at 8:27 AM, Armaghan Saqib ..hidden.. wrote:
>> On Fri, Mar 12, 2010 at 11:31 AM, Chris Travers ..hidden.. 
>> wrote:
>>>> I have recently seen a number of bug fix releases for LSMB 1.2 and was
>>>> just wondering how long it is planned to keep providing fixes for LSMB
>>>> 1.2 once 1.3 is released.
>>>
>>> Until PostgreSQL 8.0 is no longer supported.
>>
>> I am not familiar with postgres release/support cycle. Can somebody
>> give me the idea how long 8.0 is supported?
> 
> Another 1-2 years is likely.
>>
>> What I was thinking is that with all these fixes (and probably more in
>> future) 1.2 branch will become extremely stable and should be an ideal
>> choice for deployment at places where the feature rich future releases
>> (1.3, 2.0) are not needed.
> 
> 1.3 honestly has more important security features. Sometimes those
> are relatively unimportant, but that's not often the case. Some
> security issues with 1.2 are only things which can be mitigated, not
> entirely fixed. With 1.3, we have the first release where it is
> practical to fix any security issue reported.
> 
>>
>> And if I remember correctly 1.2 also works perfectly with 8.3 (8.4?)
>> so why it is tied to 8.0?
> 
> 1.2 should work with any version of at least 8.0 or higher. However,
> the version has a number of issues which cannot be reasonably fixed
> during a production branch. These include XSRF vulnerabilities, and
> some HTML injection possibilities. While we have mitigated this risk
> to the extent possible, fixing it requires substantial rewrites of
> portions of the code. Furthermore, 1.2 has no real permissions
> enforcement.
> 
> These are probably OK in some circumstances, but the situation breaks
> down quickly.
> 
> 1.3 requires PostgreSQL 8.1 because we use features from that version
> to manage and enforce permissions. Once PostgreSQL 8.0 is fully
> retired, I think it will be hard to justify installing something
> which, as secure as we have made it all things considered, still falls
> short in a number of important ways. I would expect 2.0 (at least in
> a minimalist form) to be out before 1.2 is retired entirely. For
> folks who don't need lots of features, a minimalist installation of
> 2.0 may be the way to go.
> 
> Best Wishes,
> Chris Travers
> 
> 
> --------------------------------------------------------------------
> ----------
> Download Intel Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Ledger-smb-users mailing list
> ..hidden..
> https://lists.sourceforge.net/lists/listinfo/ledger-smb-users
>