[Sugar-devel] [Announcing] UNSTABLE 0.107.1 release (feature freeze)

Samuel Greenfeld samuel at greenfeld.org
Tue Jan 5 07:04:18 EST 2016

In general, many widely used Sugar distributions are based on Operating
Systems that are at least a few years old and full of security holes.

Bringing them up to date for computers like XOs that need updated hardware
drivers would require a fair amount of effort.   (Hence the move by some
groups to standardized hardware and Ubuntu for long-term support.)

The primary mitigating factors {if you could count them as such} are that
(1) many Sugar users are offline or barely online, and (2) the obscurity of
someone trying to hack telepathy versus using a wider exploit against
something like libjpeg or OpenSSL.

But I wouldn't rely on obscurity as your sole protection.

On Tue, Jan 5, 2016 at 5:37 AM, Jonas Smedegaard <dr at jones.dk> wrote:

> Quoting Sam P. (2016-01-04 16:34:33)
> > This is serious.  If an activity wants to work in collaboration mode
> > on a NEW version of telepathy gabble, it needs to be ported not to use
> > tubes.
> >
> > However, your activity will still work on OLPC OS 13/14, Fedora 21 and
> > before and on the current Debian (???).  Your activity will still work
> > everywhere in single user mode.
> Unchanged activities will *not* work on current Debian.  Not stable, not
> testing, and not unstable.  Nor will they work with Ubuntu.
> You might get them to work by adding "telepathy-gabble-legacy", but
> beware that that package is *old* and *unsupported* and *insecure*!
> Likewise, support for conventional tubes-based collaboration on other
> systems - OLPC OS and Fedora - makes use of an outdated version of
> telepathy Gabble, which potentially is highly insecure to use.
>  - Jonas
> --
>  * Jonas Smedegaard - idealist & Internet-arkitekt
>  * Tlf.: +45 40843136  Website: http://dr.jones.dk/
>  [x] quote me freely  [ ] ask before reusing  [ ] keep private
> _______________________________________________
> Sugar-devel mailing list
> Sugar-devel at lists.sugarlabs.org
> http://lists.sugarlabs.org/listinfo/sugar-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/archive/sugar-devel/attachments/20160105/63ae74b7/attachment.html>

More information about the Sugar-devel mailing list