Hello,
on 12/16/2004 02:10 AM Matthew Weier O'Phinney said the following:
You *do* make valid points about making needless upgrade -- if no security vulnerabilities exist, the application works fine, and you don't need features from the new version, there really is no reason to upgrade. But when a security vulnerability *does* exist, and it *could* affect your application, you've got another issue entirely on your hands. The trick is learning to distinguish between the two.
You are still missing the point. A version may have vulnerabilities that affect functions that you do not use. Upgrading in that case is pointless and risky because newer versions have new bugs.
Go and read back PHP version history and notice that were times when a vulnerability fixing upgrade introduced new vulnerabilities. If the old vulnerability was not affection your application you should not have upgrade.
Another point is that, if there is a patch available, apply the patch instead of upgrading to a new version. That is a common practice of high quality control Linux distributions like SuSE. Often when a vulnerability is reported, they provide a security fix that just applies the patch. This way you do not risk to break other things or be affected by new vulnerabilities.
--
Regards, Manuel Lemos
PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/
PHP Reviews - Reviews of PHP books and other products http://www.phpclasses.org/reviews/
Metastorage - Data object relational mapping layer generator http://www.meta-language.net/metastorage.html
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
