playing with YOU and working with mediawiki, I noticed the
last YOU update was 1.4.x (with x=7, but I'm not sure of that)
Mediawiki being at stable 1.6.3 I wondered if this was a
good choice.. I asked the mediawiki list and got the answer
below: mediawiki is maintained for approx 1 year.
Given SUSE Linux is said to have security updates for two
years, I wonder what is going to be done.
Will a Novell programmer make the necessary patches to 1.4?
will SUSE (YOU) provide upgrade to 1.5 or 1.6... giving I'm
stuck with the 1.6 upgrade :-)
php scripts are very sensitive materials. vulnerability
found there can severely impact a server.
But of course my question is not about mediawiki (I already
cope with this one :-), but more generally, giving the speed
of the working Linux flow, how is the update policy setup?
10.0 is pretty fresh :-)
jdd
-------- Original Message --------
Subject: Re: [Mediawiki-l] security update policy
Date: Sat, 22 Apr 2006 23:48:43 -0700
From: Brion Vibber
after installing and update to the very last security updates, I ended up with mediawiki 1.4.7 (not sure of the "7")
so my question:
how long do you plan to make security updates on old products?
About a year, generally.
I wonder if a 1.4 will still be secure :-) and how long :-)
1.4.0 was released March 20, 2005, a bit over a year ago. The most recent fix release on 1.4 is 1.4.14, released January 19, 2006. -- brion vibber (brion @ pobox.com) -- http://www.dodin.net http://dodin.org/galerie_photo_web/expo/index.html http://lucien.dodin.net http://fr.susewiki.org/index.php?title=Gérer_ses_photos _______________________________________________ MediaWiki-l mailing list MediaWiki-l@Wikimedia.org http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
On Sun, Apr 23, 2006 at 09:38:02AM +0200, jdd wrote:
playing with YOU and working with mediawiki, I noticed the last YOU update was 1.4.x (with x=7, but I'm not sure of that)
Mediawiki being at stable 1.6.3 I wondered if this was a good choice.. I asked the mediawiki list and got the answer below: mediawiki is maintained for approx 1 year.
Given SUSE Linux is said to have security updates for two years, I wonder what is going to be done.
Will a Novell programmer make the necessary patches to 1.4? will SUSE (YOU) provide upgrade to 1.5 or 1.6... giving I'm stuck with the 1.6 upgrade :-)
We currently do this, yes: $ ls -l /work/SRC/old-versions/10.0/all/mediawiki -rw-r--r-- 1 root root 854 2006-03-30 14:35 MD5SUMS -rw-r--r-- 1 root root 42 2006-03-30 14:35 MD5SUMS.meta -rw-r--r-- 1 root root 358 2006-01-26 11:08 mediawiki-1.4.5-permission-fix.diff -rw-r--r-- 1 root root 399 2006-01-26 11:08 mediawiki-1.4.7-DoS-CVE-2006-0322.diff -rw-r--r-- 1 root root 443 2006-01-26 11:08 mediawiki-1.4.7-EditPage.diff -rw-r--r-- 1 root root 1162 2006-01-26 11:08 mediawiki-1.4.7-IE-XSS.diff -rw-r--r-- 1 root root 1604 2005-12-07 14:47 mediawiki-1.4.7-php4.4.1.diff -rw-r--r-- 1 root root 1485633 2006-01-26 11:08 mediawiki-1.4.7.tar.bz2 -rw-r--r-- 1 root root 2174 2006-01-26 11:08 mediawiki-1.4.7-xss-CAN-2005-2396.diff -rw-r--r-- 1 root root 1849 2006-01-26 11:08 mediawiki-1.4.7-xss-CVE-2005-4501.diff -rw-r--r-- 1 root root 3121 2006-01-26 11:08 mediawiki-1.4.7-xss-math.diff -rw-r--r-- 2 root root 1459 2006-03-28 13:24 mediawiki-1.4.7-xss-parser.diff -rw-r--r-- 2 root root 2155 2006-03-28 16:39 mediawiki.changes -rw-r--r-- 2 root root 4922 2006-03-30 14:35 mediawiki.spec -rw-r--r-- 1 root root 1140 2006-01-26 11:08 README.SuSE -rw-r--r-- 1 root root 0 2006-03-30 14:35 ready
php scripts are very sensitive materials. vulnerability found there can severely impact a server.
Just do not use them. ;)
But of course my question is not about mediawiki (I already cope with this one :-), but more generally, giving the speed of the working Linux flow, how is the update policy setup? 10.0 is pretty fresh :-)
2 years of security updates, as with the dozen SUSE Linux releases before. Ciao, Marcus
Marcus Meissner wrote:
Will a Novell programmer make the necessary patches to 1.4? will SUSE (YOU) provide upgrade to 1.5 or 1.6... giving I'm stuck with the 1.6 upgrade :-)
We currently do this, yes: $ ls -l /work/SRC/old-versions/10.0/all/mediawiki
-rw-r--r-- 1 root root 1604 2005-12-07 14:47 mediawiki-1.4.7-php4.4.1.diff
official last 1.4 version is 1.4.14
php scripts are very sensitive materials. vulnerability found there can severely impact a server.
Just do not use them. ;)
the server is just made to run these :-)
2 years of security updates, as with the dozen SUSE Linux releases before.
I don't question the security release, just the way they are done. at first glance it seems very expensive to fix programms that where not entended to be when the developper do this better (I beg) and free, just to stay with obsolete versions. I mean if the developper of the app XXxx gives two years security update, it seems enough to use them. if not, how can you be sure? does this mean you have a programmer for any and each package available on SUSE Linux? if yes is this one included in the main developper team or working alone? I think it's very interesting to know, I think you make often internally more work than most people know and you are not granted for it :-) jdd -- http://www.dodin.net http://dodin.org/galerie_photo_web/expo/index.html http://lucien.dodin.net http://fr.susewiki.org/index.php?title=Gérer_ses_photos
On Sun, Apr 23, 2006 at 10:35:56AM +0200, jdd wrote:
Marcus Meissner wrote:
Will a Novell programmer make the necessary patches to 1.4? will SUSE (YOU) provide upgrade to 1.5 or 1.6... giving I'm stuck with the 1.6 upgrade :-)
We currently do this, yes: $ ls -l /work/SRC/old-versions/10.0/all/mediawiki
-rw-r--r-- 1 root root 1604 2005-12-07 14:47 mediawiki-1.4.7-php4.4.1.diff
official last 1.4 version is 1.4.14
We backported all the security fixes... Of course, version upgrades are possible and occasionaly done. For MediaWiki in the 1.4.x series this might be possible, but not upgrading to 1.5.x or 1.6.x since this would need manual intervention by the admin.
2 years of security updates, as with the dozen SUSE Linux releases before.
I don't question the security release, just the way they are done.
at first glance it seems very expensive to fix programms that where not entended to be when the developper do this better (I beg) and free, just to stay with obsolete versions.
I mean if the developper of the app XXxx gives two years security update, it seems enough to use them. if not, how can you be sure? does this mean you have a programmer for any and each package available on SUSE Linux? if yes is this one included in the main developper team or working alone?
Yeah. We sometimes consider whether we should add them to the 2 year supported distributions at all. In the case of MediaWiki we might perhaps just better left it off. We have package maintainers taking care of a number of packages each, who are also assigned to fix / backport bugfixes and updates. This gets even harder with our maintained distributions which have life spans of 5 or even 7 years and where we cannot do major version upgrades at all. ;) Ciao, Marcus
participants (2)
-
jdd
-
Marcus Meissner