[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: rkhunter on Etch



Johannes Wiedersich wrote:

On 2008-08-29 11:42, Tim Edwards wrote:

Johannes Wiedersich wrote:

On 2008-08-28 10:00, Tim Edwards wrote:
That's new to me. Were did you get this information? IIRC it's a unique
feature of debian (and/or debian based systems) to get security fixes
backported. As an example, see suse's security annnouncements, where
first firefox is updated to version 2.0.0.13 [1] and later to 2.0.0.13

                                                                 ^^^^^^^
Sorry for the typo, it should read:                             2.0.0.15


[2], ie. the fixes are *not* backported to 2.0.0.13.

That's what I mean - they've backported the security/bug updates into
their firefox 2.0.0.13 package, ie. it's still firefox 2.0.0.13 but with
some fixes from 2.0.0.16 (or whatever the latest is) included.


No. In this case it seems they replaced firefox 2.0.0.13 by upstream's
next version. (If they'd fix mozilla's code by themselfs in a similar
fashion as debian, they wouldn't be allowed to call it 'firefox'. This
is the reason why firefox [was|had to be] rebranded to iceweasel in
debian. )


This is taking a patch and applying it to an older version of the
software than it was intended
(http://www.reference.com/search?r=13&q=Backporting) and it's certainly
not unique to Debian. On RPM distros they increment the release number
on the RPM when they do this.

http://www.redhat.com/security/updates/backporting/?sc_cid=3093


From this and [1] and [2] (look at the version number of firefox) I
infer that Redhat *sometimes* employs security backports (if they can't
escape it) and usually just upgrades to the next upstream version.

Debian *always* backports security fixes to its stable release.

Cheers,

Johannes

[1]
https://www.redhat.com/archives/enterprise-watch-list/2008-July/msg00002.html
[2]
https://www.redhat.com/archives/enterprise-watch-list/2008-July/msg00017.html
Ok I take your point about Firefox, I have seen some distros (eg. Mandriva) do this - just upgrade to the next minor version. But with Firefox it's no different to a backport as the minor versions are only security/bug fixes, no feature changes. If you have even a quick glance over the updates repo vs. the release repos for any of the non-Deb distros I mentioned you will see Firefox is definitely the exception to the rule.
Also the article I linked definitely doesn't say that Redhat only "*sometimes* employs security backports (if they can't escape it)"! It says that they sometimes make special exceptions to their *default* policy of backporting: "Whilst on some products our default policy is to backport security fixes, we do from time to time provide version updates of some packages after careful testing and analysis. These are likely to be packages that have no interaction with others, or are used by an end-user (such as a web browser)."
Backporting is not unique to Debian, it is the usual behaviour of the maintainers of other distros as well, otherwise these distros just wouldn't be stable enough production.
Reply to: