drago01 at gmail.com
Wed Sep 22 16:58:25 UTC 2010
On Wed, Sep 22, 2010 at 6:31 PM, Bruno Wolff III <bruno at wolff.to> wrote:
> On Wed, Sep 22, 2010 at 17:27:43 +0200,
> drago01 <drago01 at gmail.com> wrote:
>> On Wed, Sep 22, 2010 at 5:04 PM, Bruno Wolff III <bruno at wolff.to> wrote:
>> > On Wed, Sep 22, 2010 at 17:01:02 +0200,
>> > Tomas Mraz <tmraz at redhat.com> wrote:
>> >> I say that the example of Webkit should be removed because if it is not
>> >> possible to backport the security patch and due to the version update
>> >> Midori has to be updated to a new version regardless of the changes of
>> >> user experience. The part of the example "judgement call based on how
>> >> intrusive the changes are" does not make any sense. We just cannot keep
>> >> the old insecure version regardless on how intrusive the changes are.
>> > Security isn't binary. It may be that a security update addresses an issue
>> > that can not happen in normal cases. It might be reasonable to just document
>> > the cases where there is a problem so as to warn people not to do that.
>> NO, security issues ought to be *fixed* not just documented.
> All bugs ought to be fixed. That doesn't mean that if the cost to fix is high,
> other alternatives aren't acceptible.
In case of a security issue a random note somewhere "don't do that" is
not acceptable ... that's all I am saying here.
You are leaving users at risk by assuming that they will read that
notice (note: most wont).
More information about the devel