Hi Kevin, thanks for your feedback. On 01/09/2018 11:36 AM, Kevin Kofler wrote: > … if you can't do the backport in a reasonable time frame (This > vulnerability is very critical, since it allows remote money stealing!), the > recommendation is to just upgrade to the latest upstream immediately (i.e., > your first option). E.g., this (just upgrade to the latest version, even if > there are breaking changes) is also how Firefox handles security updates. > > Upgrading vs. backporting is always a tradeoff. Upgrading keeps you closer > to upstream, backporting means fewer unexpected changes for users of stable > releases. There are instances of both in Fedora, depending on what changed > in the new upstream release and/or how hard it is to backport the security > fixes to the old release. I think the best solution, based on my knowledge and available time, is to upgrade Fedora 26 to the latest upstream. The fixes from upstream are spread on several commits and releases. > This (your third option) is the worst possible option. It is better to just > push the new version, which is surely better than nothing (and also better > than doing nothing and letting websites steal the user's money). I agree, this is the most user unfriendly, but better than loosing money. Jonny _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
