Hacker News new | past | comments | ask | show | jobs | submit login

Which distribution provides security updates for all their packages for let's say three or five years? Debian Stable has exceptions, so does Ubuntu and it also makes a huge distinction for thousands of packages in the Universe repository, which for the most part don't get any support at all. Fedora releases are AFAIK only supported for a year or two.

And then you also get the issue of bugs that are actually security issues, but weren't labeled/identified as such, and therefore never get fixed in those stable distributions.




RHEL and CentOS have 5 years of updates for their core packages.


According to their git repository[1] the last time they updated the WebKitGTK library was half a year ago. In the meantime there have been multiple upstream releases, fixing multiple security vulnerabilities[2-6]. Or does this git mirror not reflect the current state of the version they're shipping?

[1] https://git.centos.org/rpms/webkit2gtk3/commits/c8 [2] https://webkitgtk.org/security/WSA-2020-0001.html [3] https://webkitgtk.org/security/WSA-2020-0002.html [4] https://webkitgtk.org/security/WSA-2020-0003.html [5] https://webkitgtk.org/security/WSA-2020-0004.html [6] https://webkitgtk.org/security/WSA-2020-0005.html


Looks like that package is part of the AppStream collection and therefore does not have the same guarantees as the core packages. That's at least what some quick googling told me.

RHEL and CentOS have pretty good backporting support for packages that they support, but most installs of them that I have seen use/include packages from other collections that are not supported, which is of course the wrong way to do it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: