NoOp <[email protected]> wrote: > On 01/24/2013 12:38 AM, Rob wrote: >> NoOp <[email protected]> wrote: >>> On 01/23/2013 01:23 PM, Connie wrote: >>>> NoOp wrote: >>>> >>>>> I'd rethink taking that "advise" were I you: >>>>> <https://www.mozilla.org/security/known-vulnerabilities/seamonkey.html> >>>> >>>> Not take which advice? Uninstalling the version already installed? >>>> Installing over the top or not doing so? Or not installing 2.14.1? >>> >>> Installing 2.14.1 instead of the current 2.15.1. >>> >>> Notice that 2.15 fixes 12 /Critical/ security issues, and 6 /High/ >>> security issues. >> >> Wait. Each and every new release combines security fixes with >> functional changes and new bugs. It is like that, no matter if >> you like it or not. It is not always good to install the latest >> release, because they (lately) often come with critical problems >> that affect the average user much much more than a security issue. > > So you are advising every "average user" here to back down to 2.14.1?
I have read several times here that users experience issues after the upgrade to 2.15 and I think that people should know that the updates that Mozilla tells them are for security are actually just snapshots of an ongoing development process. When they cannot live with the new problems of a new release, they should stay at a release that proved to work OK. One of them is 2.12.1 and it looks like 2.14.1 is also working reasonably as long as you don't specify a default fontsize in the mail composition and do not change the fontsize yourself. >> The security issue only hits you when you visit some infected site, >> the new bugs often hit you all the time and right in the face. > > I recommend that you actually take the time to *read* the fixed security > issues. > > And do you think you will have a heads up for every "infected site"? Or > that all of the security fixes/vulnerabilities only involve the browser > component? Again, I consider security updates very important, but unfortunately Mozilla doesn't issue them. >> Watch for example what happened with IMAP mail in 2.13. We had to >> rollback the entire Seamonkey deployment in our company because of >> critical bugs in 2.13. Now we use 2.14.1 but I am again very >> wary to upgrade without extensive testing and making sure there >> are no stupid bugs like the font bug that was introduced into the >> HTML editor (and forced us to disable font size changes in the >> mail composition) > > Odd, I don't see that mentioned in your posts here. But see no > improvement on the IMAP issues that I experience regardless of version. > (I click on an IMAP account & get continuous download symptoms until I > click away). The discussion happened in Bugzilla, not here. > Your election to wait to install 2.15.x across 400+ computers is, of > course your choice. It may even be a good choice in your > situation/environment, but in the interim your company is at risk to the > CVE's listed. That said, I'd be pretty hesitant to tell someone an > individual on this list to stay at a 2.14 release without (IMO) good > reason. We are not very much at risk, because our users work as nonprivileged users, software installs are disabled (among other things locked down using a long lockPref file), a software restriction policy is in place that allows users only to execute programs installed by the admin in directories users cannot write to, and a proxy is between the users and internet that filters many threats. And of course there is an on-access virus/trojan scanner. It is a much greater risk to the company when the users suddenly can't use their e-mail, cannot access attachments they received, cannot compose mail because of a custom setting they made, cannot edit an intranet page because of a silly bug introduced in the browser, etc etc etc. It is a fact of life that every new release introduces high-profile bugs, and it takes months or years to subsequently remove them. >> With Mozilla you basically get security issues fixed only in the >> "current version", and whenever a security bug is fixed they entice >> you to upgrade to a new version with functional changes and new >> bugs, that are fixed only very slowly. This means that many users >> just stay at (slightly) older versions. > > I reckon that with the 400 MSO (mail & browser) license fees that your > company saves by using SeaMonkey, perhaps your company can contribute > something to the SeaMonkey project? > <https://donate.mozilla.org/page/contribute/seamonkey> > <http://www.seamonkey-project.org/dev/> Actually I have contributed many detailed issue reports in Bugzilla. Unfortunately I have seen many times that a new version introduces a critical bug in functionality that worked OK for a decade, I report the bug immediately after the release, but then it takes months or years before it gets looked at and possibly fixed. I would expect bugs that describe regressions or new problems introduced in recent releases to have a high priority and to be directly assigned to the person who last changed the affected component. That does not appear to happen. I also often run beta versions on my own computer, but the hard fact of life is that a 400 user base of office users finds completely different inssues than I find during my own use. And even when I report issues in beta versions, they usually aren't fixed before release, so we are still faced with the choice of upgrading for security or staying at an old version for stability. _______________________________________________ support-seamonkey mailing list [email protected] https://lists.mozilla.org/listinfo/support-seamonkey
