On Wed, Aug 4, 2021 at 9:06 PM sebb <seb...@gmail.com> wrote: > > On Thu, 5 Aug 2021 at 01:15, Sam Ruby <ru...@intertwingly.net> wrote: > > > > On Wed, Aug 4, 2021 at 7:38 PM sebb <seb...@gmail.com> wrote: > > > > > > On Thu, 5 Aug 2021 at 00:14, Sam Ruby <ru...@intertwingly.net> wrote: > > > > > > > > It looks like sebb disabled security updates on wunderbar, which seems > > > > unwise. > > > > > > Updates were *not* disabled, but updates are no longer automatically > > > installed. > > > > > > This was done because one of the previous updates to Wunderbar broke > > > things. > > > > > > https://lists.apache.org/thread.html/r2d1a2e39bd92390e68efebc5bd53b4594271492468728c1ca45ab895%40%3Cdev.whimsical.apache.org%3E > > > > Once whimsy updated to Ruby 2.7, Ruby safety checks were no longer > > something that could be trusted, and wunderbar was updated to require > > an opt in to retain the old (insecure) behavior. > > > > The version of wunderbar had been pinned before that change, whimsy > > would have had a security issue. If there is a choice between > > availability (up time) and security, we need to prioritize security. > > > > What you have implemented is unwise, and I therefore am now giving my > > -1 to that approach and am requesting that it be reverted. > > Is it always wise to update to the most recent version of a Gem? > i.e. does a new release never have a new security issue?
Should we turn off "apt-get update"? Meanwhile the secretary workbench is down, and I'm asking you to honor my -1. > Note that ruby2js is currently pinned - should that be unpinned also? It seems rather odd that you have picked exactly those two gems to pin. And yet any fix I personally make directly to whimsy gets deployed instantly. All other gems (and, for that matter, apt-get packages, and any direct software changes get updated and deployed automatically. Wunderbar has been feature complete (and therefore stable) for quite some time. Ruby2JS is quiet at the moment, but there has been significant development this past year. It is true that Ruby2JS had a regression which was detected on December 29, and promptly fixed on December 29. Since you decided to pin Ruby2JS and not update it for over seven months - what is your plan to upgrade to the latest version? - Sam Ruby
