On Thu, Jan 28, 2016 at 5:03 AM, Jamie Nguyen <j@xxxxxxxxxxxxxx> wrote: > Hi, > > Distributions like RHEL and Debian have a very strict update policy (for > good reason). People expect stability and don't want surprises. > > When CVEs arise, patches can often be backported. Nginx 1.8.1 recently > fixed three CVEs and I've backported to Nginx 1.6.x on EL7. > > Unfortunately, Nginx 1.0.x on EL6 is too old; I gave it a good shot but > backporting the patches reliably without creating new CVEs is beyond my > expertise. Nginx 0.8.x on EL5 is prehistoric. > > I've had a couple of bug reports recently suggesting that I rebase Nginx > to 1.8.1 on all branches. On the one hand, I want to avoid causing > surprises and breaking somebody's website. On the other hand, these > vulnerabilities do need to be fixed. (The approach I took with the Tor > package is to always use the latest stable release on all branches, > which is working well.) > > What do people think? Should I go ahead and update all branches (with > appropriate migration notes)? > > Kind regards, > Jamie I personally think you should. EPEL isn't supposed to unreasonably hold back when even the upstream project no longer maintains that version. As long as all consumers of the nginx package are appropriately updated (if necessary) and the transition notes are documented, I don't see why not. However, the problem really comes in with how to do get people to read the upgrade notes, as that's pretty much the only way to make that work. -- 真実はいつも一つ!/ Always, there's only one truth! -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
