On 2008-08-29 11:42, Tim Edwards wrote:
> Johannes Wiedersich wrote:
>> On 2008-08-28 10:00, Tim Edwards wrote:
>> That's new to me. Were did you get this information? IIRC it's a unique
>> feature of debian (and/or debian based systems) to get security fixes
>> backported. As an example, see suse's security annnouncements, where
>> first firefox is updated to version 2.0.0.13 [1] and later to 2.0.0.13
^^^^^^^
Sorry for the typo, it should read: 2.0.0.15
>> [2], ie. the fixes are *not* backported to 2.0.0.13.
>
> That's what I mean - they've backported the security/bug updates into
> their firefox 2.0.0.13 package, ie. it's still firefox 2.0.0.13 but with
> some fixes from 2.0.0.16 (or whatever the latest is) included.
No. In this case it seems they replaced firefox 2.0.0.13 by upstream's
next version. (If they'd fix mozilla's code by themselfs in a similar
fashion as debian, they wouldn't be allowed to call it 'firefox'. This
is the reason why firefox [was|had to be] rebranded to iceweasel in
debian. )
> This is taking a patch and applying it to an older version of the
> software than it was intended
> (http://www.reference.com/search?r=13&q=Backporting) and it's certainly
> not unique to Debian. On RPM distros they increment the release number
> on the RPM when they do this.
>
> http://www.redhat.com/security/updates/backporting/?sc_cid=3093
From this and [1] and [2] (look at the version number of firefox) I
infer that Redhat *sometimes* employs security backports (if they can't
escape it) and usually just upgrades to the next upstream version.
Debian *always* backports security fixes to its stable release.
Cheers,
Johannes
[1]
https://www.redhat.com/archives/enterprise-watch-list/2008-July/msg00002.html
[2]
https://www.redhat.com/archives/enterprise-watch-list/2008-July/msg00017.html
Attachment:
signature.asc
Description: OpenPGP digital signature