Re: Updates in stable releases
* Kurt Roeckx:
> I want to start by giving some examples of things that got updated
> in stable point releases that I know about:
> - linux was 3.2.41-2 in 7.0, 3.2.51-1 in 7.3, 3.2.53-2 in
> - iceweasel was 10.0.12esr-1 in 7.0, is now 17.0.10esr-1~deb7u1
> - postgresql-9.1 was 9.1.9-1, now 9.1.11-0wheezy1
> Clearly new upstream releases are acceptable under some
> conditions. But it's not clear to me what those conditions are.
There's not a consistent set. For some packages, we end up with new
upstream versions because we have not much choice and would otherwise
have to remove the package. iceweasel from your list falls into this
category, and there have been BIND and OpenJDK updates with similar
If upstream has long-term stable versions with really limited changes
(your linux and postgresql-9.1 examples), we may use them instead of
rolling our own releases, based on the assumption that the released
version has seen some testing upstream and elsewhere, more than our
backport of a patch in isolation would receive prior to a release in a
> One thing I had in mind for an update to apache is to have the
> version in stable support ECDHE which the version in stable
> currently doesn't do.
I don't think we can switch to a new upstream version of Apache httpd.
But we do backport additional security features from time to time.
(The enhanced DNSSEC support that came with DSA-2054-1 is an example.)