On 10/05/2017 06:22 AM, Carlos E. R. wrote:
Any security "scanning" based on packages release versions on openSUSE is absurd, and your security officer should know it.
Why should they know this piece of trivia on a "Community" Linux version that is experiencing decreasing market share year by year? Version numbers exist for a reason. Opensuse's method of patching but leaving the number the same is just lazy (and dangerous). They should be applying community pressure to those packages that use EQUAL in their dependencies rather than GREATER OR EQUAL unless there is a clearly demonstrated reason that can't possibly work. Backward compatibility works in the vast majority of cases until or unless you run into major version issues. (QT4-->QT5). And THOSE are better handled by package systems than fudging version numbers. I'm not aware of any other distro that does it the Opensuse way. And it means a huge paper chase just to check if a patch has been applied. If Opensuse is moving toward a rolling release, this practice has to stop, and a more sane and standardized approach has to be taken. The world can't be expected to keep track of the idiosyncrasies of each linux distro. -- After all is said and done, more is said than done.