This question is brought up every time this happens. Ubuntu uses stable (old) versions and does not upgrade to latest (unstable) releases very often. However, they do back port and apply security patches to these old versions.
Point in case: 16.04 TLS is still on 2.7.4 but it is fully patched and secure.
Yes, you're right. I was expecting to see the update by checking "git --version" and seeing 2.11.0-1 or something like that, but it's not visible that way.
Indeed if I check with "apt-get show git", the package is on version 2.11.0-2, and then I have to browse to the package web page at https://packages.ubuntu.com/zesty/git and click on the changelog and finally I get to the update information, which clearly contains the text, "SECURITY UPDATE: Arbitrary code execution on clients through malicious ssh URLs."
So it was patched as expected, it just wasn't easy for me to see that without going through a few extra steps.
It means that one group of developers is busy improving and fixing packages, and another different group is cherry-picking commits in order to maintain the illusion of stability (as mentioned above).
That second group has to duplicate all the testing work done by the first group, and additionally ensure that there are no new problems introduced.
It's very vulnerable to human error and adds a lot of unnecessary work.
It's better to have a competent "second group" do the backport job rather than every single user of a distro having their rug pulled out under them every time they patch. New versions of software can quickly break your environment. For example, https://gitlab.com/gitlab-org/gitlab-ce/issues/36028 . If you have to re-test every script and web service to ensure compatibility with the daily churn of vulnerability fixes you would get nothing done and you could almost never be sure your service is stable.
I see it differently. Where do new bugs and vulnerabilities come from? When the main developers add features or make changes to existing features that go beyond fixing bugs.
From the point of view of many server administrators, using the latest versions of everything is inherently risky. What they want to use is a stable, solid version that has all the latest security fixes.
It's unlikely that these opposing viewpoints will ever be reconciled.
Ideally, we'd rather see upstream release this fix but we've all read https://news.ycombinator.com/item?id=14051106 and I don't want to be too impatient with software that upstream has graciously provided for free (in both senses of the word!)
I guess my point is backporting might make sense if there are small changes we can make to enhance release. However, I agree that there is too much duplication of effort going on.
radarsat1|8 years ago
Indeed if I check with "apt-get show git", the package is on version 2.11.0-2, and then I have to browse to the package web page at https://packages.ubuntu.com/zesty/git and click on the changelog and finally I get to the update information, which clearly contains the text, "SECURITY UPDATE: Arbitrary code execution on clients through malicious ssh URLs."
So it was patched as expected, it just wasn't easy for me to see that without going through a few extra steps.
masterleep|8 years ago
lotsoflumens|8 years ago
It means that one group of developers is busy improving and fixing packages, and another different group is cherry-picking commits in order to maintain the illusion of stability (as mentioned above).
That second group has to duplicate all the testing work done by the first group, and additionally ensure that there are no new problems introduced.
It's very vulnerable to human error and adds a lot of unnecessary work.
0x0|8 years ago
boot13|8 years ago
I see it differently. Where do new bugs and vulnerabilities come from? When the main developers add features or make changes to existing features that go beyond fixing bugs.
From the point of view of many server administrators, using the latest versions of everything is inherently risky. What they want to use is a stable, solid version that has all the latest security fixes.
It's unlikely that these opposing viewpoints will ever be reconciled.
mcny|8 years ago
https://bugs.kde.org/show_bug.cgi?id=382911
it is a duplicate of
https://bugs.kde.org/show_bug.cgi?id=378854
which is fixed by https://cgit.kde.org/konversation.git/commit/?id=783dc0f595e...
but upstream for some reason does not think this is important enough to tag and bag into a release.
as much hate as Fedora gets, rdieter has taken the time to backport the changes that we need in Fedora.
https://bodhi.fedoraproject.org/updates/FEDORA-2017-9c3e2138...
Ideally, we'd rather see upstream release this fix but we've all read https://news.ycombinator.com/item?id=14051106 and I don't want to be too impatient with software that upstream has graciously provided for free (in both senses of the word!)
I guess my point is backporting might make sense if there are small changes we can make to enhance release. However, I agree that there is too much duplication of effort going on.
rlpb|8 years ago