severity 409703 important retitle 409703 SQL-ledger unsafe for use with untrusted users or public installations tags 409703 + wontfix thanks
On Fri, 02 Mar 2007, Steve Langasek wrote: > > I've done that but I closed the bug, so that its progression in etch can be > > properly tracked. We ought to reopen it once it's in etch. > > Please don't do this, it subverts the intent of version-tracking. > > Instead: > > - If you consider this to be two separate bugs, one about the documentation > issue and one about the actual security holes, where only the > documentation one is to be considered RC, please split the bug, adjust the > severities, and close only the documentation bug in this version. Right, I should have done that. Now it's a bit late. I'll simply leave that bug open for documentation purpose. The explanation for the tags and the subject are: the upstream developer has written this software without having security implications in mind. This means that there are numerous security vulnerabilities discovered und undiscovered. Those which have been discovered have not been fixed upstream. And we don't have the resources to take care of this by ourselves. However there's only few alternatives to do serious accounting that have the level of features of SQL-ledger so we prefer keeping the software despite this. In the longer term, we're considering switching to LedgerSMB which is a fork of SQL-Ledger and it should be a goal for lenny to provide a nice upgrade path between both software. Volunteers are welcome! Cheers, -- Raphaël Hertzog Premier livre français sur Debian GNU/Linux : http://www.ouaza.com/livre/admin-debian/
