On 25 Apr 2006 at 17:20, Marcus Meissner wrote:
On Tue, Apr 25, 2006 at 05:17:19PM +0200, Philipp Wollermann wrote:
Hi,
Marcus Meissner wrote:
The latest security bugs in FF 1.5.x have been applied already, check the changelog... A version upgrade wont be done now.
Ciao, Marcus
I don't want to discuss this thing, but maybe someone can explain to me (it's just because I'm interested in the reasons for this method), why distributors choose to manually patch applications, instead of applying minor version updates from upstream? Manually applied patches can't be verified by the user, so as in the Qt 4.1.0 vs. 4.1.2 issue, I would think "SUSE doesn't even bugfix stability issues" even if the patches maybe have been applied manually without increasing the version number..
Certification for products might list specific fixed versions.
OK.
Because just "minor version updates" in the OSS world occasionaly mean massive changes and it is hard to decide.
I can be, but need not. For every rule there should be execptions.
Or even "minor version updates" break binary compatibility if libraries are provided.
OK, may be, but strictly speaking no security-patched binary is binary-compatible to the non-patched version ;-) So this also depends very much on the details.
There is a class of "leaf packages" like Firefox where this is not so important and where we do upgrades on occassion already. (We did for the Firefox series in older products occasionaly.).
The internal policy however sets it to backport if possible, to avoid any problems like the above (or others still unknown).
Gererally OK, but sometimes it seems easier to make an exception. Regards, Ulrich