On Thu, Dec 04, 2003, Bill Campbell wrote:
> On Thu, Dec 04, 2003, Ralf S. Engelschall wrote:
> >On Thu, Dec 04, 2003, Bill Campbell wrote:
> >
> >> [...]
> >> On a related note, is there any reason you didn't go to rsync-2.5.7 instead
> >> of updating rsync-2.5.6? When I saw the security advisory last night from
> >> Rsync, I got the tarball, changed the Version number in the rsync.spec
> >> file, and it rebuilt without problems. I've been running that on our
> >> servers here since then without noticeable ill effects.
> >
> >I'm not sure whether I understand your question. OpenPKG-CURRENT _is_
> >at rsync-2.5.7-20031204. Only OpenPKG-1.2-SOLID and OpenPKG-1.3-SOLID
> >packages are at rsync-2.5.5-1.2.1 and rsync-2.5.6-1.3.1. But these are
> >old versions with the security bugfix backported. And that's the way we
> >do all security update packages: the vendor version is intentionally
> >kept (for full compatibility) and the security fix is included.
>
> I wasn't aware of this policy as I think I've seen a reasonable number of
> version updates in the release tree
No, AFAIK the only exception was and still is OSSP fsl for obvious
reasons. For all other 1.x-SOLID packages (../UPD/*.src.rpm) there
intentionally never changed the vendor version. This is very important
and in our opinion one of the great benefits our security engineering
policy provides to our community (especially compared to some other
package vendors which do not follow such a strict security bugfix policy
;-) -- although it often means really a lot of backporting trouble for
us.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
The OpenPKG Project www.openpkg.org
User Communication List [EMAIL PROTECTED]
