Hi Marco, Marco Gaiarin wrote: > Whenever possible, i remove the auto update features of these > softwares. > > Other then that... my users have least privilege available (Users > group) on the machine, so pratically they can't upgrade. ;) This is what I do usually as well for managed installations. However if you set up machines which will be used by private users (not further managed by WPKG) or if users will not join your network for an update for a long time then it might be required to allow users to upgrade on their own. Especially if the fixes are security-relevant. In practice "normal" users are anyway not performing the upgrades and giving them only local "user" rights ensures much more security than giving administrator privileges. Most security-related vulnerabilities allow to take over a user process which gives the attacking party user permissions on the system. It's unlikely that an intruder spends a lot of time to find another security hole to get administrator privileges. So my personal experience showed that working without administrator privileges and using outdated programs is more secure than working with administrator privileges but keeping programs up-to-date. Working without administrator privileges protects from both, known and unknown vulnerabilities. Of course the best approach is to use just user privileges AND keeping the programs up-to-date :-). Unfortunately this imposes some effort on administrators and testing. So the approach to change the checks that they are still "true" for upcoming versions is not a bad approach in general. The good thing is that WPKG supports you no matter which approach you follow. br, Rainer |