keeping the packages up to date
Mario Vukelic
mario.vukelic at dantian.org
Sun Jun 29 16:33:11 UTC 2008
On Sun, 2008-06-29 at 12:19 -0400, Michael P. Varre wrote
> I’ve noticed that many major packages for things such as Apache2 and
> PHP5 don’t really stay up to date too much. For instance the newest
> package available using aptitude is 2.0.55, yet the newest available
> on apache.org is 2.0.63.
> <snip>
> However, do many have an issue running these systems that are so out
> of date due to security concerns?
>
> Are many admins out there really running Ubuntu LTS in production
> environments that face the internet?
It is the policy of Debian (and Ubuntu does the same) to backport only
security fixes in a stable release cycle. That is, they don't push out
the new upstream version with all its changes, but just pull out the
security fixes and apply them to the Ubuntu version.
This is done do minimize the amount of changes in a package update, and
thus make it more predictable. I don't use ubuntu-server or apache, but
i am pretty confident that you will find all upstream security fixes
mentioned in the Ubuntu security advisories that accompany the updates.
You can subscribe to those announcements on the appropriate mailing list
(and if you are running a server, you probably should check them. The
recent openssh-in-Debian fiasco is a reminder that not all security
fixes can be solved by package updates - in this case, keys had to be
regenerated and distributed manually).
See https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
More information about the ubuntu-users
mailing list