You also have to remember that just because a security update comes available for a package doesn't mean it will be immediately deployed. Packages (especially for an OS like GNU OS) require testing to ensure they are stable enough for mass deployment across the spectrum of distributions supported. This isn't just a Slackware or Linux thing, it's a universal OS thing. If you are a Windows, OS-X, GNU BSD, or a GNU Linux administrator, you just don't drop in a new package out to deploy without thoroughly testing it.

If anything Patrick and the Slackware team thoroughly test everything before deploying it. That's why Slackware-current (both x32 and x64) exists as a testing ground and why the Slackware mailing list and Linuxquestions.org exists.

But lastly you also have to remember this... the GNU Linux OS is a customizable OS. It's up to you mostly to administrate and monitor your own systems. If you find a security update before Patrick does, don't simply rely on Patrick to do everything for you. Download, compile, and install the update yourself.

?!? From the GNU website. http://www.gnu.org/gnu/linux-and-gnu.html
It is debatable if even Linux should have GNU appended. Adding it to the BSDs...

I am not sure about very long security support for old versions. or at least not for all packages. an example:

slackware 13.1 comes with mozilla-firefox 3.6.x ... latest 3.6.x mozilla-firefox version with all patches is 3.6.21 but the latest mozilla-firefox version in slackware is 3.6.19. and I am talking about 13.1 and that is previous version which was the newest one until few months ago.


I would recommend not to rely only on official updates. I am following slackware security list but I am also updating firefox, thunderbird and a few other applications manually to avoid waiting.

Hi,

Stock 13.1 uses 'mozilla-firefox-3.6.3-i686-1.txz'. Last Security update was to You failed to show the many updates between 3.6.3 to 3.6.19. There were several updates between the minors that are major software changes, so why not replace to a valid secure package.

You can look at the security logs to see the progression and change notes.
I disagree with your statement about not relying on official updates. Some individuals do not have the means nor desire to follow upstream updates.

BTW, security for Slackware is covered back too version 8.1. through '-current'. Some users do not always use current versions of Slackware.
If it ain't broke don't fix it!

that is correct. 3.6.16 , .17 or .18 were there. 3.6.19 too. but 3.6.20 or 3.6.21 not. that is a fact. and 3.6.20 and 3.6.21 are security updates and not feature updates.

I did not say not to rely but not to rely ONLY on official updates.

I do not understand what you want say by this.

Hi,

To clarify a bit. Some users do not follow software changes for applications like mozilla-firefox(upstream) but rely on Slackware's team to provide necessary changes. Both for security and feature changes, some users rely on the team to provide packages.

That is true for reliance for official Slackware packages to insure there are no problems for a user.

that is true even for me in some cases but whether a user choose to follow software changes has nothing to do that with a fact that slackware repository does not have security patches or an updated version of a "bad" application.

but there might be a good explanation (which I missed) for not providing updates for mozilla-firefox package.

Hi,

Security updates are provided via the '/patches' directory for your version at a favorite mirror. You my friend do not have a clue as to where, how & why the Slackware team provides security patches or updates. If you sign up for security announcements via Mailing Lists then you will get notification(s). Another option is to follow '-current' changelog to track changes but the best and easiest is via the mailing list.



EDIT: PV & team do not always provide or make changes to upstream software. Packages that are working with the version will sometimes remain the same. Therefor tracking upstream is sometimes provided by notification(s) from users to PV & team. PV will decide if the changes are justifiable.

There is now firefox-3.6.22 in Slackware 13.0 and 13.1 and firefox-6.0.2 in 13.37 and current.

My guess would be 9 years.

I do not see what is actually your problem with my statement. I just said that users should not only rely on official patches but also look directly in applications. mozilla-firefox is/was a good example for missing some security patches. you are defending without any concrete explanation ("PV decides" is not an explanation) the fact that FF package was not patched and I see no reason why.