On Thu, 28 Jan 2016 10:03:08 +0000
Jamie Nguyen <j(a)jamielinux.com> wrote:
Hi,
Distributions like RHEL and Debian have a very strict update policy
(for good reason). People expect stability and don't want surprises.
When CVEs arise, patches can often be backported. Nginx 1.8.1 recently
fixed three CVEs and I've backported to Nginx 1.6.x on EL7.
Unfortunately, Nginx 1.0.x on EL6 is too old; I gave it a good shot
but backporting the patches reliably without creating new CVEs is
beyond my expertise. Nginx 0.8.x on EL5 is prehistoric.
I've had a couple of bug reports recently suggesting that I rebase
Nginx to 1.8.1 on all branches. On the one hand, I want to avoid
causing surprises and breaking somebody's website. On the other hand,
these vulnerabilities do need to be fixed. (The approach I took with
the Tor package is to always use the latest stable release on all
branches, which is working well.)
What do people think? Should I go ahead and update all branches (with
appropriate migration notes)?
Well, this kind of question would probibly be better on the epel-devel
list, but otherwise:
https://fedoraproject.org/wiki/EPEL_Updates_Policy
And you can ask for an exception. This would entail pushing the new
version to testing and leaving it there a while, mailing epel-announce
to note that there's an incompatible version in testing and please test
and then another note before you push it stable to give them a heads
up. You may want to wait and push it stable at the same time as the
next .X release comes out.
kevin