On Wed, 10 Jan 2018 22:46:04 +0200 Mart Raudsepp <l...@gentoo.org> wrote:
> On Wed, 2018-01-10 at 22:38 +0300, Peter Volkov wrote: > > On Wed, Jan 10, 2018 at 9:31 PM, Aaron W. Swenson > > <titanofold@gentoo. > > org> wrote: > > > Title: GnuCash 2.7+ Breaking Change > > > > Aaron, but why do we need this news item? 2.7 version is a > > development version that is not supposed to be used by end users. As > > far as I understand this backup is a temporary measure until stable > > release will be out. It's much better to have this version package > > masked. Then in package mask comment we could note the need for > > backup. > > 2.6 is insecure by 400+ ancient webkit-gtk security vulnerabilities, > we can't responsibly wait anymore. 2.7.3 was tested by Aaron (who > uses it daily) to work quite nicely. > I want to last rite gnucash-2.6 used webkit-gtk before the month is > over, as the maintainer of webkit-gtk, and if 2.7 isn't there, 2.6 > will simply be fully masked as well along it. I assume that the motivation to get 2.7 stabilized early it to protect users from potentional damages caused via webkit-gtk security vulnerabilities. However, provided that I use GnuCash to display only local web data (generated reports) I feel much more comfortable to entrust my data to the stable 2.6 version rather than unstable 2.7 about which the upstream says: "Unstable (development) releases are for testing purposes only. They contain the newest features and improvements, but may also contain serious bugs still. Don't install these releases for everyday use." [1] "Due to the possibility of data corruption, unstable releases should only be used on a copy of live GnuCash data." [2] I think generated reports are typical use of webkit in GnuCash. Are attack vectors so severe also in this case? Thank you. 1. http://gnucash.org/download.phtml 2. https://wiki.gnucash.org/wiki/Development_Process Robert -- Róbert Čerňanský E-mail: ope...@tightmail.com Jabber: h...@jabber.sk