[aerogear-dev] security updates

Burr Sutter bsutter at redhat.com
Tue Mar 11 13:12:09 EDT 2014 

We are going to have to support a range of Cordova versions for the following reasons:
1) Sync'ing with JBDS
2) Sync'ing with what is supported at any given moment - where the supported version may only update 2 times a year
3) Addressing the fact that customers are slow to upgrade unless there is a very real problem exposed in their specific application - for example, if they don't use a particular Cordova plugin then they might ignore a particular vulnerability that is tied to a specific plugin.  Another example, if their apps are only used on 25 corporate executives phones, then they might determine the vulnerability is less important (small, fixed audience).

We will need to pick a specific time window for all parties to "catch up" like 12 months.

On Mar 11, 2014, at 12:18 PM, tolis emmanouilidis <tolisemm at gmail.com> wrote:

> I'd vote for encourage even if security should always be priority 1.
> 
> I feel that if the supported Cordova Lib versions of the AeroGear plugins are changed every time a security vulnerability is discovered and a new Cordova Lib version is released, then our plugins will always support only the latest Cordova Lib version.
> 
> Thanks,
> Tolis
> 
> 
> 2014-03-10 17:43 GMT+02:00 Erik Jan de Wit <edewit at redhat.com>:
> Hi,
> 
> Bruno has created some PR’s to update our cordova plugins to no longer support 3.0.0 but update it to 3.4.0, because of a number of security issues that have been solved. Now of course we should encourage that people use the latest version, but this PR enforces it. Also Gorkem that invested quite some time to support different versions. So what should we pick enforce or encourage?
> 
> Cheers,
>         Erik Jan
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
> 
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20140311/b2cbd067/attachment-0001.html

More information about the aerogear-dev mailing list