On Sat, Jul 12, 2014 at 5:34 PM, Klaus Ethgen <[email protected]> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi Folks, > > I'll start with the last mail I reply to. It makes more sense that way. > > Am Sa den 12. Jul 2014 um 16:28 schrieb Graeme Fowler: > > With respect folks, this is not the right mailing list for this > discussion. > > > > There is a Debian-specific support list for Exim on Debian; I suggest you > > look in your package docs and follow from there. I'm sure the > distribution > > maintainers will be happy to answer any questions. > > More or less true, especially if he asks something debian specific. > > But parts of the discussion matches to all distributions. So I will > answer them here. > > Am Sa den 12. Jul 2014 um 15:44 schrieb Adam D. Barratt: > > > > I don't think so. Without explicitly checking all the patches, but > > > > debian usually backports security relevant patches to the stable > > > > distribution. > > > I urge you to go look at what got fixed between 4.80 and 4.82 then ( > > > https://lists.exim.org/lurker/list/exim-announce.html). There's a > DKIM > > > hole that got patched that sounds pretty serious if you use DKIM. > > > > Do you mean CVE-2012-5671, which was fixed in exim 4.80.1 in October > > 2012? That was already fixed in Debian's package version 4.80-5.1 at the > > same time as the announcement by the exim maintainers; wheezy has 4.80-7 > > - i.e.newer. > > I also think that this is the bug, Michael refers to. > Yes, think so, I was referring to this: https://lists.exim.org/lurker/message/20121026.080330.74b9147b.en.html which details 4.80.1. So I see, I am starting to understand now that there is not an exact relation between the dot releases in exim and the release numbers given in debian (or any unix/linux distro for that matter). > > > Why would you expect a _stable distribution_ to contain an upstream > > version beyond the one that was current when the distribution was > > released? > > And that is exactly how stable distributions, all of them, call them > debian, redhat, susi^He, ..., works. You do not want to have a major > version upgrade in a stable release. > Yes, I agree and for me, a dot release is not a major release. But I'm understanding that you are referring to ANY change in the version number you consider a major version upgrade. > > If you want, you have to go your own way and compile the software > yourself. But then you have to take care yourself about dependencies, > security upgrades and API changes. > > I know some people compiling exim themself. It is not that hard. But if > you use a stable release of a distribution, you will stay on that > particular version with distribution caring about security fixes. How > they does that might be different. > > Am Sa den 12. Jul 2014 um 14:59 schrieb Michael Grant: > > > If you find a unfixed security bug you can create a bugreport with > sever > > > severity. > > > > It's true, I can do this, however, I'm not the person who builds exim on > > debian, I just came along the other day and started using it because I > > needed a mailer! > > Also that is how distributions work. If you find a security bug that is > not fixed, report it. The one who builds debian packages might not know > about all security bugs but most likely they monitors the relevant > informations to do so. > So how can I know that any particular distribution is patched up to the current bug fix level of the current level of a piece of software? I spent some time trying to search out this info in the svn repo for debian and couldn't find it. I see it's been updated 4 times but without actually digging into the diffs, there seems to be no easy way to know. If, on the other hand, I saw 4.92 in the version and I saw that exim's latest version was 4.92, then it's easy for me to discern that I am in fact running the latest s/w with the fewest known bugs. But yes, I totally see your point that the dot releases changes the version number and hence consider a major change. It's true that this is not an exim problem and I will pose this question on the debian exim list (unless someone here is on that list, feel free to reply to me directly). > > Especially with debian it is so easy to call »reportbug« to report your > bug. While it is a pain in the ass to file a bug in redhats bugzilla, it > is such easy to file one in debian. So please don't complain, report it. > > > What you are saying implies a much larger problem that there's no > > orderly way to feed release info into the distributions. > > What? I do not get this sentence. > > Ah, and before you ask, no, I am not related to debian, I just uses > debian as base of the systems I build stuff on. And I reported many bugs > until now on many subsystems. Even if some of the bugs are nonsense (not > intended but came out as being my own problem) it makes sense to report > bugs. > > Regards > Klaus > > Ps. You do not need to send the answer to me directly, I do actively > read this list. > Klaus, thanks for your responses, much is now clearer. Michael Grant > - -- > Klaus Ethgen http://www.ethgen.ch/ > pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <[email protected]> > Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQGcBAEBCgAGBQJTwWOdAAoJEKZ8CrGAGfasVyoMAIcCkbpWdpw9oFt1Te/9qMi7 > ARYm07Z4pqt3/PSzK9RrmKuS+Ckh87rRP7knwI0PLb5SPuD8nrKdFHiPKuz2iUvW > A4MRpFvJbzQanSfhWXAyvWrIlz17huRT7fRIiLyAWONOew/nt1hmZAbN7d4N+vwv > ozM8LozY0wuJiBJlIWW1zCksOxaDn3Uvd5/DJe7eQtmMN0NN5TANj1x+Avz0xC0R > n20UewK60CcuKr/UoIDdZUdU67OsAE74EGjPJ1eRR3vybeaBHFJQ4eZo4gVoJBs8 > J8D65K0Do+rXJbbSPj+yr83qJJN7ewWp4MIaxF2bMUMiOrocPl62SF5c3jT/RVZ6 > gotrTWk0WMnN74za/1ThmRdaHj+ieaOElfZ6aa1XCFwVdYEqNC76VfQbbdEUadB5 > qBR3otLejDecdVTlDSay65trNBSfwbVM72cnPbCpuU88eBaiOEdEjq9pD+8GZSLl > P7iiorB2j+aND+4pwZuaQczulxFwJUsi6ByAB0AAyw== > =ogGA > -----END PGP SIGNATURE----- > > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ > -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
