From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 2C570138206 for ; Tue, 16 Jan 2018 14:17:32 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 67AB4E08FB; Tue, 16 Jan 2018 14:17:25 +0000 (UTC) Received: from smtp101-3.vfemail.net (onethreethree.vfemail.net [199.16.11.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 15886E0827 for ; Tue, 16 Jan 2018 14:17:24 +0000 (UTC) Received: (qmail 22352 invoked by uid 89); 16 Jan 2018 14:16:56 -0000 Received: by simscan 1.4.0 ppid: 22346, pid: 22349, t: 0.1820s scanners:none Received: from unknown (HELO bXlzZWw=) (aHNAdmZlbWFpbC5uZXQ=@ODcuMjQ0LjIzMy4xNTM=) by 172.16.100.61 with ESMTPSA (DHE-RSA-AES256-GCM-SHA384 encrypted, authenticated); 16 Jan 2018 14:16:55 -0000 X-Received: id 0331940055 for ; Tue, 16 Jan 2018 15:07:58 +0100 (CET) Date: Tue, 16 Jan 2018 15:07:45 +0100 From: =?UTF-8?Q?R=C3=B3bert_=C4=8Cer=C5=88ansk=C3=BD?= To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] News Item: GnuCash 2.7+ Breaking Change Message-ID: <20180116150745.0000412a@tightmail.com> In-Reply-To: <1515617164.20929.1.camel@gentoo.org> References: <20180110183135.GD15225@martineau.grandmasfridge.local> <1515617164.20929.1.camel@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 6c8813d6-2060-43e6-aa2e-6147fd6e4cb5 X-Archives-Hash: 01723a8fd7affdd2d471fd624b9cf77c On Wed, 10 Jan 2018 22:46:04 +0200 Mart Raudsepp wrote: > On Wed, 2018-01-10 at 22:38 +0300, Peter Volkov wrote: > > On Wed, Jan 10, 2018 at 9:31 PM, Aaron W. Swenson > > > org> wrote: > > > Title: GnuCash 2.7+ Breaking Change =20 > >=20 > > Aaron, but why do we need this news item? 2.7 version is a > > development version that is not supposed to be used by end users. As > > far as I understand this backup is a temporary measure until stable > > release will be out. It's much better to have this version package > > masked. Then in package mask comment we could note the need for > > backup. =20 >=20 > 2.6 is insecure by 400+ ancient webkit-gtk security vulnerabilities, > we can't responsibly wait anymore. 2.7.3 was tested by Aaron (who > uses it daily) to work quite nicely. > I want to last rite gnucash-2.6 used webkit-gtk before the month is > over, as the maintainer of webkit-gtk, and if 2.7 isn't there, 2.6 > will simply be fully masked as well along it. I assume that the motivation to get 2.7 stabilized early it to protect users from potentional damages caused via webkit-gtk security vulnerabilities. However, provided that I use GnuCash to display only local web data (generated reports) I feel much more comfortable to entrust my data to the stable 2.6 version rather than unstable 2.7 about which the upstream says: "Unstable (development) releases are for testing purposes only. They contain the newest features and improvements, but may also contain serious bugs still. Don't install these releases for everyday use." [1] "Due to the possibility of data corruption, unstable releases should only be used on a copy of live GnuCash data." [2] I think generated reports are typical use of webkit in GnuCash. Are attack vectors so severe also in this case? Thank you. 1. http://gnucash.org/download.phtml 2. https://wiki.gnucash.org/wiki/Development_Process Robert --=20 R=C3=B3bert =C4=8Cer=C5=88ansk=C3=BD E-mail: openhs@tightmail.com Jabber: hs@jabber.sk