[Koha] Swapping Addresses
Mark Tompsett
mtompset at hotmail.com
Wed Jul 1 06:45:55 NZST 2015
Greetings,
Paul A wrote:
> Ummm... some of us have production cycles of two (maybe three)
> years (exceptions made for security)
-- exactly... let's review security updates recently.
Google "koha security":
2013-07-29 - 3.12.3, 3.10.9, 3.8.16, 3.6.12
2014-02-07 - 3.14.3, 3.12.10, 3.10.13, 3.8.23
2014-12-10 - 3.18.1
2014-12-11 - 3.16.5
2015-06-23 - 3.20.1, 3.18.8, 3.16.12
Let's say you had 3.6.x in 2013. Less than a year, you would be upgrading to
3.6.12 and a few month later be forced to jump to 3.8.x
Let's say you had 3.8.x in 2013. Less than a year, you would be upgrading to
3.8.16, and 3.8.23 less than a year after that.
Anything less than 3.16.x in 2014 should have jumped to 3.16.5 less than a
two year cycle from 3.6.12.
There are 4 distinct security releases in the last 2 years. I'm sorry, but a
2 year production cycle is not realistic in terms of security.
And if you argue they were as recent in previous year, I would argue that
the quality level of Koha has been improving over time. Consider that debian
packages in production were only as of 3.4! Have you seen the massive
interface improvements since 3.6.x?! The underlying libraries and
technologies have been improved as well. All these sorts of improvements
include an increased testing and awareness of security issues.
> and only follow the minor/major releases on
> a sandbox to keep up with enhancements for the
> next production upgrade. The principle of
> "if it ain't broke, don't fix it."
-- security issues are by definition broken.
So while I agree with the principle, the problem is reality is rather cruel
and things break more frequently than we would like.
GPML,
Mark Tompsett
More information about the Koha
mailing list