On Thu, Aug 8, 2013 at 3:13 AM, Stefan Sperling <stsp_at_elego.de> wrote:
> The assertion that packagers only use unmodified tarball is strange to
> me. Packagers routinely patch upstream software to make it work on their
> system or to backport security fixes. But usually the version number of
> the upstream release which the package is based on is used in the package
Yes the *nix distributions typically do this, sadly they are't the
most reliable packagers. I'll admit I don't pay much attention to
what OpenBSD does but I know some of these distributors haven't done a
very good job of making security updates available.
Picking on Debian here a bit:
CVE-2103-1846 was announced in April, squeeze still doesn't have this fix.
So frankly I think the most reliable packagers are the vendors these
days. And to the best of my knowledge they aren't patching their
packages. Maybe if we released a security issue without a new patch
release accompanying it they would.
Received on 2013-08-09 01:01:18 CEST