Hi, On Sat, Jan 18, 2025 at 12:14:16PM +1100, George at Clug wrote: > On Saturday, 18-01-2025 at 11:47 John Hasler wrote: > > In the case of rsync Debian backported a fix. Therefor it gets the old > > version number with a suffix to indicate that Debian patched it. In the > > case of chromium upstream patched it and released the patched version > > with a new version number.
[…] > So this means that a patched version from : > > https://backports.debian.org/ I will stop you there because you are confusing the backports repository, which contains later versions of software, with the more strict definition of "backporting a security patch" which is how Debian generally gets security patches into a stable release. After a stable release of Debian is made, future package updates will come from the stable-updates suite (e.g. bookworm-updates in the case of Debian 12). These updates will in most cases contain the same version of the software from stable suite but with a fix for one or more security bugs built for it. In the concrete case of rsync as recently discussed on this list, the *Debian* package version as reported by dpkg would be 3.2.7-1 when it was originally installed from the Debian 12 release media, but would be updated to 3.2.7-1+deb12u2 through package updates that came via the bookworm-updates suite in your sources.list. All the time, the actual program is going to report 3.2.7 when you type "rsync --version", because that is what it is. When you install Debian it usually enables security updates via an -updates suite, so every user of stable should be getting security updates. One particular consequence of this process of making a stable release is that generally no new features will ever come to the packages in it. rsync's feature set will always remain as it was at 3.2.7 and only security issues, and severe bugs introduced when trying to fix those issues, will appear within the lifetime of that Debian release. By contrast the backports repository is a whole other optional repository that exists to provide entirely newer versions of some packages for people who need them: > Backports are packages taken from the next Debian release (called > "testing"), adjusted and recompiled for usage on Debian stable. Those packages would be based on a newer upstream release, and would include the new features of those newer versions. Only a limited number of packages have backports. There isn't currently an rsync in bookworm-backports, for example. > as log as we have debian-security in our apt sources we still get the > security patched version without needed to do anything special like > specifically installing a bookworm-backports package. Yes, -backports is a whole other thing and is not involved in the creation of stable security updates. Thanks, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
