Hi, Distributions like RHEL and Debian have a very strict update policy (for good reason). People expect stability and don't want surprises. When CVEs arise, patches can often be backported. Nginx 1.8.1 recently fixed three CVEs and I've backported to Nginx 1.6.x on EL7. Unfortunately, Nginx 1.0.x on EL6 is too old; I gave it a good shot but backporting the patches reliably without creating new CVEs is beyond my expertise. Nginx 0.8.x on EL5 is prehistoric. I've had a couple of bug reports recently suggesting that I rebase Nginx to 1.8.1 on all branches. On the one hand, I want to avoid causing surprises and breaking somebody's website. On the other hand, these vulnerabilities do need to be fixed. (The approach I took with the Tor package is to always use the latest stable release on all branches, which is working well.) What do people think? Should I go ahead and update all branches (with appropriate migration notes)? Kind regards, Jamie -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
