On 2008-08-29 11:42, Tim Edwards wrote:
Johannes Wiedersich wrote:
On 2008-08-28 10:00, Tim Edwards wrote:
That's new to me. Were did you get this information? IIRC it's a unique
feature of debian (and/or debian based systems) to get security fixes
backported. As an example, see suse's security annnouncements, where
first firefox is updated to version 2.0.0.13 [1] and later to 2.0.0.13
^^^^^^^
Sorry for the typo, it should read: 2.0.0.15
[2], ie. the fixes are *not* backported to 2.0.0.13.
That's what I mean - they've backported the security/bug updates into
their firefox 2.0.0.13 package, ie. it's still firefox 2.0.0.13 but with
some fixes from 2.0.0.16 (or whatever the latest is) included.
No. In this case it seems they replaced firefox 2.0.0.13 by upstream's
next version. (If they'd fix mozilla's code by themselfs in a similar
fashion as debian, they wouldn't be allowed to call it 'firefox'. This
is the reason why firefox [was|had to be] rebranded to iceweasel in
debian. )
This is taking a patch and applying it to an older version of the
software than it was intended
(http://www.reference.com/search?r=13&q=Backporting) and it's certainly
not unique to Debian. On RPM distros they increment the release number
on the RPM when they do this.
http://www.redhat.com/security/updates/backporting/?sc_cid=3093
From this and [1] and [2] (look at the version number of firefox) I
infer that Redhat *sometimes* employs security backports (if they can't
escape it) and usually just upgrades to the next upstream version.
Debian *always* backports security fixes to its stable release.
Cheers,
Johannes
[1]
https://www.redhat.com/archives/enterprise-watch-list/2008-July/msg00002.html
[2]
https://www.redhat.com/archives/enterprise-watch-list/2008-July/msg00017.html