On Wed, 10 Jan 2018 22:46:04 +0200
Mart Raudsepp <l...@gentoo.org> wrote:

> On Wed, 2018-01-10 at 22:38 +0300, Peter Volkov wrote:
> > On Wed, Jan 10, 2018 at 9:31 PM, Aaron W. Swenson
> > <titanofold@gentoo.  
> > org> wrote:
> > > Title: GnuCash 2.7+ Breaking Change  
> > 
> > Aaron, but why do we need this news item? 2.7 version is a
> > development version that is not supposed to be used by end users. As
> > far as I understand this backup is a temporary measure until stable
> > release will be out. It's much better to have this version package
> > masked. Then in package mask comment we could note the need for
> > backup.  
> 
> 2.6 is insecure by 400+ ancient webkit-gtk security vulnerabilities,
> we can't responsibly wait anymore. 2.7.3 was tested by Aaron (who
> uses it daily) to work quite nicely.
> I want to last rite gnucash-2.6 used webkit-gtk before the month is
> over, as the maintainer of webkit-gtk, and if 2.7 isn't there, 2.6
> will simply be fully masked as well along it.

I assume that the motivation to get 2.7 stabilized early it to protect
users from potentional damages caused via webkit-gtk security
vulnerabilities.  However, provided that I use GnuCash to display only
local web data (generated reports) I feel much more comfortable
to entrust my data to the stable 2.6 version rather than unstable 2.7
about which the upstream says:

"Unstable (development) releases are for testing purposes only. They
contain the newest features and improvements, but may also contain
serious bugs still. Don't install these releases for everyday use." [1]

"Due to the possibility of data corruption, unstable releases should
only be used on a copy of live GnuCash data." [2]

I think generated reports are typical use of webkit in GnuCash.  Are
attack vectors so severe also in this case?

Thank you.

1. http://gnucash.org/download.phtml
2. https://wiki.gnucash.org/wiki/Development_Process

Robert


-- 
Róbert Čerňanský
E-mail: ope...@tightmail.com
Jabber: h...@jabber.sk

Reply via email to