Jonny Heggheim wrote:
> We just pused a urgent security update for Electrum for Fedora 27 and
> rawhide, Fedora 26 is still affected.
>
> All versions of Electrum is affected by this bug, Fedora 26 still runs
> an older version because of big changes in Electrum 3.0 and an updated
> version of a dependency.
>
> So I see 3 options:
Note: I reordered the options below for commenting:
> * Create a patch for the version running on Fedora 26. Will take time
> to make the patch and test on Fedora 26.
This (your second option) is what the stable update guidelines recommend
doing in such a case ("big changes in Electrum 3.0") if possible, but…
> * Upgrade to latest version for Fedora 26. Will take time to update and
> might brake something else.
… if you can't do the backport in a reasonable time frame (This
vulnerability is very critical, since it allows remote money stealing!), the
recommendation is to just upgrade to the latest upstream immediately (i.e.,
your first option). E.g., this (just upgrade to the latest version, even if
there are breaking changes) is also how Firefox handles security updates.
Upgrading vs. backporting is always a tradeoff. Upgrading keeps you closer
to upstream, backporting means fewer unexpected changes for users of stable
releases. There are instances of both in Fedora, depending on what changed
in the new upstream release and/or how hard it is to backport the security
fixes to the old release.
> * Make an update that disables Electrum, include only a README or
> someting like that. Will make users confused.
This (your third option) is the worst possible option. It is better to just
push the new version, which is surely better than nothing (and also better
than doing nothing and letting websites steal the user's money).
Kevin Kofler
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
