On Sunday 04 November 2007 18:27:15 wrote Martin Jürgens:

Hi!

As you might know, new version of packages are being shipped in Fedora's updates repository, fedora-updates.

An example for it is qt4. Version 4.2 is shipped with the distribution, but fedora-updates provides version 4.3.2.

So I tried to build a package in the buildservice which requires Qt 4.3. But it does not build so I guess that the Fedora 7 distribution does not include updates which may be a security risk.

Just imagine a library is being fixed, but all applications in the Build Service are compiled against the old library which has a security flaw in it.

only in very very rare cases this is a problem, since you can still run it against a newer lib and the security leak usually only happens at runtime, but not at compile time.

Are there plans to change this?

We build against the original lib (not only for Fedora, also SUSE and others), since this guarantees that your package works against the original one _AND_ the update qt package (since it needs to be forward compatible).

for openSUSE we have also the openSUSE:X.Y:Update projects to build against, but usually you should avoid them, because of the reason I mentioned.

(only exceptions are new kernel ABI for 10.1 and changed libzypp interface in 10.1). All other packages should work fine when build against the original interfaces.