On Wed, 2010-03-03 at 01:34 +0100, Björn Persson wrote: > Adam Williamson wrote: > > you can try and cherry-pick security updates, but then you get the > > problem where initial release has Foobar 1.0, then Foobar 3.5 gets > > shipped in updates, then a security problem emerges and Foobar 3.5-2 > > with the security fix gets shipped in updates. You now have a choice of > > unsecure Foobar 1.0, or completely new version Foobar 3.6. > > There's also the other variant where a security problem is found in Foobar 1.0 > but the problem isn't present in Foobar 3.0 and later. Upstream still supports > the 1.0 branch and releases Foobar 1.0.4 to fix the problem, but no security > update is released for Fedora since there is no problem in the latest Fedora > package. The Fedora user who chose not to upgrade Foobar won't even know that > there is a security problem. This isn't a hard problem, 3.0 should then be marked as a security update. Sure it sucks that you have to go from 1.0.4 to 3.0, and presumably a lot will change, but that's Fedora. On the other hand if "yum --security update" does not fix the known security problems on your system, that's a huge exploit waiting to happen ... and one I doubt any users know about. I've sent a query to security@ to clarify. -- James Antill - james@xxxxxxxxxxxxxxxxx http://yum.baseurl.org/wiki/releases http://yum.baseurl.org/wiki/whatsnew/3.2.27 http://yum.baseurl.org/wiki/YumMultipleMachineCaching -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel