On ma, 2010-05-10 at 11:46 -0700, david@lang.hm wrote:
it's not the same thing to have all the released and development versions of the code available and to have a link from the running system to say 'this is the exact version of the code, with all patches and local modifications, that is currently running'
It is true that local modifications may introduce security problems, but it is way more likely that there is a problem in the Koha code that everyone else is using as well. And the attacker does not need to know which version the target is running, they can just blindly try every known Koha security problem on every Koha site. That's what computers are for, automating boring things. So I don't think it is particularly important for security whether the code is out there or not. You are either vulnerable to a specific attack or you're not, and if you are, you're living on borrowed time. Frequent security updates are key to server survival on the public Internet. Can we put this sub-thread to rest now? (If I may say so, those security updates will be a bit easier to do with Debian packages, or any other form of easily upgraded packages, as opposed to installing from source.)