[TYPO3-project-4-3] TYPO3 Distribution Concept for 4.3
Marcus Krause
marcus#exp2009 at t3sec.info
Fri May 15 23:29:44 CEST 2009
Franz Koch schrieb am 05/15/2009 02:58 PM Uhr:
> Hi Marcus,
>>> [...]
>>> This concept would also be much wiser if you think about security issues
>>> etc. If a security leak is found in a bundled extension, simply update
>>> the required version of the extension to the one of the security-fix and
>>> you're done - no repacking etc.
>>> [...]
>>
>> Good point - security. As you know, we regularly find security issues in
>> widely spread extensions. If you feel you could manage re-bundling them
>> in such cases, then I'm fine with it. Otherwise think about a better
>> approach.
>
> sorry - don't get your point here. Are you saying bundled extensions
> (that might be bundled by specific version to ensure compatibility with
> the distribution) should not get "updated" if a security leak was found
> and fixed? In the concept I described, (...)
Obviously, it's note even clear which concept fits best.
All I want to say is, keep security in mind! If extensions/extension
version numbers are preset in such a package, this package must be
re-bundled if one of those extensions is susceptible to vulnerabilities.
This might be a matter of changing a single number in a file, but even a
tiny change might require a huge management workflow behind the scenes.
It's not about users that have already downloaded such bundle, it's
about users that are going to download such package and find an
initially vulnerable one.
Marcus.
More information about the TYPO3-project-4-3
mailing list