[Syncopation]

Kodi 17.1 installed on macOS 10.12.5. Kodi 17.2 has been release on 2017-05-21 and includes a security relevant fix. But when starting Kodi 17.1 I do not see any info about an update which is available.

Expected: User should be informed about updates and easy update path should be available.

[Martijn]

Well sorry for not immediately spamming the whole world about an update.

[Syncopation]

Huh? Why so passive aggressive?

A simple "we delay updates 5 workdays before we notify users from within our application" would have done as well.

Edit: I would not consider informing user about a security update "spamming" by the way.
Edit: Details about the vulnerability fixed in Kodi 17.2 are here: http://blog.checkpoint.com/2017/05/23/ha...anslation/

[Memphiz]

Telling the release manager of the security release about the impact of the flaw which he considered big enough to justify and initiate that very security release is some really strange sort of humor.
What exactly do you want? Pointing out how bad we handle those things?

[Syncopation]

How was I telling the release manager anything? I didn't even know Martijn has that role and how would I? In my initial post where I asked about the update mechanisms I wasn't addressing anybody specific at all. Martijn was the first to reply and he did in a similar way, you (Memphiz) are now responding to my second post.

What I want? I don't think my posts are about what I want. But with my posts I wanted to raise the question, how updates are handled. I described an expected behavior and I described how Kodi currently behaves.

In my second post I tried pointing out, that it may be a good idea to inform users from within the app about that fact, that an update is available. Not all your users visit the blog on a daily basis. But the response from Martijn confused me a bit. So I added the two edit lines which came to mind a bit after posting:

1. Why would Kodi team consider information about an available update "spam". This is hard for me to understand.
2. Since we all seem to agree on the severity of the issue at hand and Memphiz confirms 17.2 was initiated due to the vulnerability, I thought it good to point to the details of the problem.

Summarizing, I applaud Kodis promt response to the problem and agree that releasing 17.2 with the fix was a good decision. I still am unsure how updates are handled. And it would be great if that simple question would not be taken as offense or personal insult, which I did not intend to make it sound like.

[Memphiz]

1. there is a version check addon that points out new version from within the application
2. it was not updated yet (so you didn't get a notice) because there went something wrong with the binary addons during release of 17.2. That is why martijn prepared a fixed release (17.3) while holding back the version addon update
3. There is no mechanism that ensures that everything is updated at the same time (Files have to be moved on the download mirrors, blog post needs to be written and published, website download links need to be adapted, version check addon needs to be altered and updated in our repo so users get notifications), there might be some more people involved in this and they are also beer drinkers so things might get interrupted...

4. This whole "security bug" and how the press and everyone else pushes this is ridiculous. For the bug someone has to hack a subtitle server and hope that someone uses this subtitle at some point. It would be much easier to hack a repo server instead and push manipulated addons - the impact would be much bigger. So calm down about that stupid zip traversal...

Long story short. It might be that the notification from within Kodi might come some days after the release. That shouldn't be an issue. Also you managed to note the update like a couple of hours after the release as it seems - so even that seems to work somehow.

[Syncopation]

Thank you for elaborating.