On Thu, Aug 8, 2013 at 3:13 AM, Stefan Sperling <s...@elego.de> wrote: > The assertion that packagers only use unmodified tarball is strange to > me. Packagers routinely patch upstream software to make it work on their > system or to backport security fixes. But usually the version number of > the upstream release which the package is based on is used in the package > name.
Yes the *nix distributions typically do this, sadly they are't the most reliable packagers. I'll admit I don't pay much attention to what OpenBSD does but I know some of these distributors haven't done a very good job of making security updates available. Picking on Debian here a bit: https://security-tracker.debian.org/tracker/CVE-2013-1846 CVE-2103-1846 was announced in April, squeeze still doesn't have this fix. So frankly I think the most reliable packagers are the vendors these days. And to the best of my knowledge they aren't patching their packages. Maybe if we released a security issue without a new patch release accompanying it they would.
