Re: [exim] Getting the latest version for Debian Wheezy

Top Page
Delete this message
Reply to this message
Author: Michael Grant
Date:  
To: exim-users
Subject: Re: [exim] Getting the latest version for Debian Wheezy
On Sat, Jul 12, 2014 at 5:34 PM, Klaus Ethgen <Klaus+exim@???> wrote:

>
> Hi Folks,
>
> I'll start with the last mail I reply to. It makes more sense that way.
>
> Am Sa den 12. Jul 2014 um 16:28 schrieb Graeme Fowler:
> > With respect folks, this is not the right mailing list for this
> discussion.
> >
> > There is a Debian-specific support list for Exim on Debian; I suggest you
> > look in your package docs and follow from there. I'm sure the
> distribution
> > maintainers will be happy to answer any questions.
>
> More or less true, especially if he asks something debian specific.
>
> But parts of the discussion matches to all distributions. So I will
> answer them here.
>
> Am Sa den 12. Jul 2014 um 15:44 schrieb Adam D. Barratt:
> > > > I don't think so. Without explicitly checking all the patches, but
> > > > debian usually backports security relevant patches to the stable
> > > > distribution.
> > > I urge you to go look at what got fixed between 4.80 and 4.82 then (
> > > https://lists.exim.org/lurker/list/exim-announce.html). There's a
> DKIM
> > > hole that got patched that sounds pretty serious if you use DKIM.
> >
> > Do you mean CVE-2012-5671, which was fixed in exim 4.80.1 in October
> > 2012? That was already fixed in Debian's package version 4.80-5.1 at the
> > same time as the announcement by the exim maintainers; wheezy has 4.80-7
> > - i.e.newer.
>
> I also think that this is the bug, Michael refers to.
>


Yes, think so, I was referring to this:
https://lists.exim.org/lurker/message/20121026.080330.74b9147b.en.html
which details 4.80.1.

So I see, I am starting to understand now that there is not an exact
relation between the dot releases in exim and the release numbers given in
debian (or any unix/linux distro for that matter).

>
> > Why would you expect a _stable distribution_ to contain an upstream
> > version beyond the one that was current when the distribution was
> > released?
>
> And that is exactly how stable distributions, all of them, call them
> debian, redhat, susi^He, ..., works. You do not want to have a major
> version upgrade in a stable release.
>


Yes, I agree and for me, a dot release is not a major release. But I'm
understanding that you are referring to ANY change in the version number
you consider a major version upgrade.

>
> If you want, you have to go your own way and compile the software
> yourself. But then you have to take care yourself about dependencies,
> security upgrades and API changes.
>
> I know some people compiling exim themself. It is not that hard. But if
> you use a stable release of a distribution, you will stay on that
> particular version with distribution caring about security fixes. How
> they does that might be different.
>
> Am Sa den 12. Jul 2014 um 14:59 schrieb Michael Grant:
> > > If you find a unfixed security bug you can create a bugreport with
> sever
> > > severity.
> >
> > It's true, I can do this, however, I'm not the person who builds exim on
> > debian, I just came along the other day and started using it because I
> > needed a mailer!
>
> Also that is how distributions work. If you find a security bug that is
> not fixed, report it. The one who builds debian packages might not know
> about all security bugs but most likely they monitors the relevant
> informations to do so.
>


So how can I know that any particular distribution is patched up to the
current bug fix level of the current level of a piece of software? I spent
some time trying to search out this info in the svn repo for debian and
couldn't find it. I see it's been updated 4 times but without actually
digging into the diffs, there seems to be no easy way to know.

If, on the other hand, I saw 4.92 in the version and I saw that exim's
latest version was 4.92, then it's easy for me to discern that I am in fact
running the latest s/w with the fewest known bugs. But yes, I totally see
your point that the dot releases changes the version number and hence
consider a major change.

It's true that this is not an exim problem and I will pose this question on
the debian exim list (unless someone here is on that list, feel free to
reply to me directly).

>
> Especially with debian it is so easy to call »reportbug« to report your
> bug. While it is a pain in the ass to file a bug in redhats bugzilla, it
> is such easy to file one in debian. So please don't complain, report it.
>
> > What you are saying implies a much larger problem that there's no
> > orderly way to feed release info into the distributions.
>
> What? I do not get this sentence.
>
> Ah, and before you ask, no, I am not related to debian, I just uses
> debian as base of the systems I build stuff on. And I reported many bugs
> until now on many subsystems. Even if some of the bugs are nonsense (not
> intended but came out as being my own problem) it makes sense to report
> bugs.
>
> Regards
>    Klaus

>
> Ps. You do not need to send the answer to me directly, I do actively
>     read this list.

>


Klaus, thanks for your responses, much is now clearer.

Michael Grant

> - --
> Klaus Ethgen                              http://www.ethgen.ch/
> pub  4096R/4E20AF1C 2011-05-16   Klaus Ethgen <Klaus@???>
> Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C

>
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>