keeping the packages up to date

Michael P. Varre mvarre at kishmish.com
Sun Jun 29 20:34:27 UTC 2008 

> -----Original Message-----
> From: ubuntu-users-bounces at lists.ubuntu.com [mailto:ubuntu-users-
> bounces at lists.ubuntu.com] On Behalf Of Brian McKee
> Sent: Sunday, June 29, 2008 4:17 PM
> To: Ubuntu user technical support, not for general discussions
> Subject: Re: keeping the packages up to date
> 
> On Sun, Jun 29, 2008 at 2:35 PM, Michael P. Varre <mvarre at kishmish.com>
> wrote:
> >
> >> -----Original Message-----
> >> From: ubuntu-users-bounces at lists.ubuntu.com [mailto:ubuntu-users-
> >> bounces at lists.ubuntu.com] On Behalf Of Mario Vukelic
> >> Sent: Sunday, June 29, 2008 12:33 PM
> >> To: Ubuntu user technical support, not for general discussions
> >> Subject: Re: keeping the packages up to date
> >>
> >> On Sun, 2008-06-29 at 12:19 -0400, Michael P. Varre wrote
> >>
> >> > I've noticed that many major packages for things such as Apache2
> and
> >> > PHP5 don't really stay up to date too much. For instance the
> newest
> >> > package available using aptitude is 2.0.55, yet the newest
> available
> >> > on apache.org is 2.0.63.
> >>
> >> > <snip>
> >>
> >> > However, do many have an issue running these systems that are so
> out
> >> > of date due to security concerns?
> >> >
> >> > Are many admins out there really running Ubuntu LTS in production
> >> > environments that face the internet?
> >>
> >> It is the policy of Debian (and Ubuntu does the same) to backport
> only
> >> security fixes in a stable release cycle. That is, they don't push
> out
> >> the new upstream version with all its changes, but just pull out the
> >> security fixes and apply them to the Ubuntu version.
> >>
> >> This is done do minimize the amount of changes in a package update,
> and
> >> thus make it more predictable. I don't use ubuntu-server or apache,
> but
> >> i am pretty confident that you will find all upstream security fixes
> >> mentioned in the Ubuntu security advisories that accompany the
> updates.
> >> You can subscribe to those announcements on the appropriate mailing
> >> list
> >> (and if you are running a server, you probably should check them.
> The
> >> recent openssh-in-Debian fiasco is a reminder that not all security
> >> fixes can be solved by package updates - in this case, keys had to
> be
> >> regenerated and distributed manually).
> >> See https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-
> announce
> > So do you mean to say that even though my Apache2 version is to
> 2.0.55, and up to date form the package repository, it is still
> actually up to date with regards to security fixes?
> Yes, if you are subscribed to the repositories.
> 
> > How would I know that for sure?  I understand I can keep my eye on
> the security announcement list, however is there a way for me to know
> what exactly is up to date within my packages (that have old version
> numbers).
> 
> Try 'aptitude changelog apache2' to show what they've done with each
> version  (or poke around in Synaptic if you use the GUI for the change
> logs).   It'll show you what you are looking for.
> 
> Brian
> 
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users




I see, very interesting.  So, and please forgive my ignorance again, when I
run aptitude changelog apache2 on my installation, and I see...

apache2 (2.0.55-4ubuntu2.3) dapper-security;

Obviously the 2.0.55 is the major Apache version, but what is the
significance of the _4_ as well as the _2.3_?  I see all the security
updates that have been released with that particular package, and they look
to be up to date when compared to the security advisories on apache.org.


Also, obviously this particular example I've given is from a box running
dapper.  If I keep my packages up to date, is there significance from a
security point of view to get my system up to hardy or would I expect just
feature improvements for a major version upgrade of Ubuntu?

Thanks again for the info - this is helping a lot!


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5810 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20080629/1aa089e8/attachment.bin>

More information about the ubuntu-users mailing list