[opensuse] openSUSE-SU-2016:0145-1: critical: openssh - why patch OpenSSH_6.2p2 and not install OpenSSH_7.1p2?
All, Just a curiosity. Why patch OpenSSH_6.2p2 in a critical update instead of updating to OpenSSH_7.1p2? There are not conflicts between the versions or issues with backwards compatibility. So where is the logic for patching an old version when you could simply package the new version as an update? -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
19.01.2016 06:53, David C. Rankin пишет:
All,
Just a curiosity. Why patch OpenSSH_6.2p2 in a critical update instead of updating to OpenSSH_7.1p2? There are not conflicts between the versions or issues with backwards compatibility. So where is the logic for patching an old version when you could simply package the new version as an update?
Adding new version introduces risk of new unknown bugs. This is exact opposite to the goal of stable release. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/18/2016 09:55 PM, Andrei Borzenkov wrote:
All,
Just a curiosity. Why patch OpenSSH_6.2p2 in a critical update instead of updating to OpenSSH_7.1p2? There are not conflicts between the versions or issues with backwards compatibility. So where is the logic for patching an old version when you could simply package the new version as an update?
Adding new version introduces risk of new unknown bugs. This is exact opposite to the goal of stable release.
Makes sense... I guess it's a damned if you do/damned if you don't situation. Yes the stability logic makes sense, but it also cuts the other way with the potential avenues for exploit that have been closed by design within the new version... I guess it is better the devil you know here... -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Jan 18, 2016 at 9:13 PM, David C. Rankin <drankinatty@suddenlinkmail.com> wrote:
Makes sense... I guess it's a damned if you do/damned if you don't situation. Yes the stability logic makes sense, but it also cuts the other way with the potential avenues for exploit that have been closed by design within the new version... I guess it is better the devil you know here...
Security fixes are backported to older versions of OpenSSH on many GNU/Linux distributions. You get the best of both worlds, stability and security. Brandon Vincent -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 1/18/2016 7:53 PM, David C. Rankin wrote:
Just a curiosity. Why patch OpenSSH_6.2p2 in a critical update instead of updating to OpenSSH_7.1p2? There are not conflicts between the versions or issues with backwards compatibility. So where is the logic for patching an old version when you could simply package the new version as an update?
Tempted to say "You must be new here", but we both know you aren't. This has always been the Suse way, and once the DVD image is cut, nothing new gets added, at least not to the main repository. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/19/2016 12:24 AM, John M Andersen wrote:
On 1/18/2016 7:53 PM, David C. Rankin wrote:
Just a curiosity. Why patch OpenSSH_6.2p2 in a critical update instead of updating to OpenSSH_7.1p2? There are not conflicts between the versions or issues with backwards compatibility. So where is the logic for patching an old version when you could simply package the new version as an update?
Tempted to say "You must be new here", but we both know you aren't.
This has always been the Suse way, and once the DVD image is cut, nothing new gets added, at least not to the main repository.
Yes, of course you are right on all accounts. I guess it is all that "how are things done now uncertainty" that has blown in with the tumbleweeds and leaps that clouded that fact in my memory -- or I could just be getting OLD and SENILE.... (where did I put that geratol anyway...) -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Andrei Borzenkov -
Brandon Vincent -
David C. Rankin -
John M Andersen