keeping the packages up to date

Brian McKee brian.mckee at gmail.com
Sun Jun 29 20:16:57 UTC 2008 

On Sun, Jun 29, 2008 at 2:35 PM, Michael P. Varre <mvarre at kishmish.com> wrote:
>
>> -----Original Message-----
>> From: ubuntu-users-bounces at lists.ubuntu.com [mailto:ubuntu-users-
>> bounces at lists.ubuntu.com] On Behalf Of Mario Vukelic
>> Sent: Sunday, June 29, 2008 12:33 PM
>> To: Ubuntu user technical support, not for general discussions
>> Subject: Re: keeping the packages up to date
>>
>> On Sun, 2008-06-29 at 12:19 -0400, Michael P. Varre wrote
>>
>> > I've noticed that many major packages for things such as Apache2 and
>> > PHP5 don't really stay up to date too much. For instance the newest
>> > package available using aptitude is 2.0.55, yet the newest available
>> > on apache.org is 2.0.63.
>>
>> > <snip>
>>
>> > However, do many have an issue running these systems that are so out
>> > of date due to security concerns?
>> >
>> > Are many admins out there really running Ubuntu LTS in production
>> > environments that face the internet?
>>
>> It is the policy of Debian (and Ubuntu does the same) to backport only
>> security fixes in a stable release cycle. That is, they don't push out
>> the new upstream version with all its changes, but just pull out the
>> security fixes and apply them to the Ubuntu version.
>>
>> This is done do minimize the amount of changes in a package update, and
>> thus make it more predictable. I don't use ubuntu-server or apache, but
>> i am pretty confident that you will find all upstream security fixes
>> mentioned in the Ubuntu security advisories that accompany the updates.
>> You can subscribe to those announcements on the appropriate mailing
>> list
>> (and if you are running a server, you probably should check them. The
>> recent openssh-in-Debian fiasco is a reminder that not all security
>> fixes can be solved by package updates - in this case, keys had to be
>> regenerated and distributed manually).
>> See https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
> So do you mean to say that even though my Apache2 version is to 2.0.55, and up to date form the package repository, it is still actually up to date with regards to security fixes?
Yes, if you are subscribed to the repositories.

> How would I know that for sure?  I understand I can keep my eye on the security announcement list, however is there a way for me to know what exactly is up to date within my packages (that have old version numbers).

Try 'aptitude changelog apache2' to show what they've done with each
version  (or poke around in Synaptic if you use the GUI for the change
logs).   It'll show you what you are looking for.

Brian

More information about the ubuntu-users mailing list