On 4/24/07, David Tangye <[EMAIL PROTECTED]> wrote: > On Tue, 2007-04-24 at 19:12 -0700, Chris Travers wrote: > > > If I convert my 2.6.x SL to 1.1.12 LS and I don't feel I have > > > compelling reasons to go to 1.2 at this time, would I be converting down > > > the road to a more stable 1.2 and then to 1.3? > > > > Yes. The database schema is not expected to change in any significant > > way before 1.3 > I was just about to suggest that from what I had seen here, that the > best migration path that is manageable by LSMB in terms of scripting > logic, sounded like "always go to LSMB 1.1.12".
No, that is not correct. In SL and LSMB 1.1.x, it is *trivial* for people to post fraudulant transactions. Not only can someone embezzle money, but that person can pin it on someone else. If this is a concern, neither SQL-Ledger nor LSMB 1.1.x is an option. And SQL-Ledger security is even worse. A malicious user with a valid login can do all kinds of horrible things (log in as someone else, execute arbitrary code on the web server, change/delete other peoples' passwords, etc). In my view, you have to balance the need for an easy installation against the need for any security of any audit trail. LSMB 1.1.x and SQL-Ledger (any version) do not offer that assurance. Nor does SQL-Ledger offer any assurance of the security of the web server. For more details, please do a search on my bugtraq posts. Many of these contain full disclosure including steps necessary to exploit these problems. So, if you need the security of your audit trail (a very common and basic requirement for systems with more than one user), these versions are not good enough. If you only have 1 user of the system then these options are good enough, if you have more, then you need to think long and hard before deciding *not* to go to 1.2.0. Let me repeat this loud and clear in case you haven't been paying attention: There are known and public problems with LedgerSMB 1.1.12 from a security perspective. Although the vulnerabilities subject to full disclosure are not in 1.1.12, the vulnerabilities are sufficiently trivial to find and exploit that you are effectively on your own security-wise. Though these are less than with any version of SQL-Ledger, if you want to use that version, please don't come crying to me if someone wants to pin the embezzlement on someone else. In short, if ease of installation is more important than the security of your finances, go with 1.1.12. If security is more important go with 1.2.x. But that choice is yours and I cannot make it for you. Best Wishes, Chris Travers ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Ledger-smb-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ledger-smb-users
