[Koha] Swapping Addresses

Mark Tompsett mtompset at hotmail.com
Wed Jul 1 06:45:55 NZST 2015


Greetings,

Paul A wrote:
> Ummm... some of us have production cycles of two (maybe three)
> years (exceptions made for security)

-- exactly... let's review security updates recently.
Google "koha security":
2013-07-29 - 3.12.3,   3.10.9,   3.8.16, 3.6.12
2014-02-07 - 3.14.3, 3.12.10, 3.10.13, 3.8.23
2014-12-10 - 3.18.1
2014-12-11 - 3.16.5
2015-06-23 - 3.20.1, 3.18.8, 3.16.12

Let's say you had 3.6.x in 2013. Less than a year, you would be upgrading to 
3.6.12 and a few month later be forced to jump to 3.8.x
Let's say you had 3.8.x in 2013. Less than a year, you would be upgrading to 
3.8.16, and 3.8.23 less than a year after that.
Anything less than 3.16.x in 2014 should have jumped to 3.16.5 less than a 
two year cycle from 3.6.12.
There are 4 distinct security releases in the last 2 years. I'm sorry, but a 
2 year production cycle is not realistic in terms of security.

And if you argue they were as recent in previous year, I would argue that 
the quality level of Koha has been improving over time. Consider that debian 
packages in production were only as of 3.4! Have you seen the massive 
interface improvements since 3.6.x?! The underlying libraries and 
technologies have been improved as well. All these sorts of improvements 
include an increased testing and awareness of security issues.

> and only follow the minor/major releases on
> a sandbox to keep up with enhancements for the
> next production upgrade.  The principle of
> "if it ain't broke, don't fix it."

-- security issues are by definition broken.

So while I agree with the principle, the problem is reality is rather cruel 
and things break more frequently than we would like.

GPML,
Mark Tompsett 



More information about the Koha mailing list