Hacker News new | ask | show | jobs
by vbernat 3292 days ago
This is the case of many software. Usually, distribution support is longer than upstream. Therefore, distributors have to be backport the patches. That's what it is done for Debian.

They are few exceptions: any Oracle product (Oracle doesn't provide security patches and discourage people from making them) and Chromium (patches are too big) and Firefox (idem). For Chromium, the exception is to use the latest version. For Firefox, the exception is to switch to the next ESR once the current one becomes unmaintained.
1 comments
jancsika 3291 days ago
Thanks, I didn't realize that.

Do you know if these exceptions are documented somewhere deep in the Debian doc maze?

link
jwilk 3291 days ago
It's kinda documented in release notes:

https://www.debian.org/releases/stretch/amd64/release-notes/...

They don't mention the Oracle debacle, though.

link
voltagex_ 3290 days ago
>Unfortunately, this means that libv8-3.14, nodejs, and the associated node-* package ecosystem should not currently be used with untrusted content, such as unsanitized data from the Internet.

Jeez. I guess this means most people will be using other node binaries in production.

link
vbernat 3291 days ago
If they are, I don't know where.
link