The past week’s activity in security updates have generated a lot of new blog entries on this page. But does it have to be that way?
Martin Richter has written up a very good summary of why developers need the ability to freeze their environments (or at least be properly warned!!) when tools updates are released as important security updates. The main reason is because they need to target particular runtimes, and if they have to release hotfixes their manifests must match what is already out there. Another reason is that they simply cannot keep track of all the updates, and having your tools changed out from under you out of the blue can have major repercussions, especially if there are new bugs in those tools. It can cause massive numbers of hours of lost productivity in reconfiguring a whole organization’s developer machines.
I suggest you sign up for connect.microsoft.com (Visual Studio and .NET Framework) and read this (don’t forget to vote on it while you’re there):
I definitely support having some better communication about the issues as well at the time they are released, like when KB971090 was released there was a video on channel 9 – see http://channel9.msdn.com/Blogs/Charles/Out-of-Band-Inside-the-ATL-Security-Update for the type of info that should be communicated.
2 Comments
Looks like the next unexpected update (June 14) has fixed the problems introduced with the last one (April 12).
As far as I can tell, there are fixes for the 3 FindActCtxSectionString bugs you listed, as well as the MFC static code bloat – including the unneeded dependency on GDI+. What are other people seeing?
Thanks for the workarounds in the meantime, Ted.
Thanks for the heads up!