On 3/23/21 8:02 AM, Ulrich Windl wrote:
Quanah Gibson-Mount email@example.com schrieb am 22.03.2021 um 16:08 in
--On Monday, March 22, 2021 8:20 AM +0000 Dario García Díaz-Miguel firstname.lastname@example.org wrote:
Thank you, appreciated. But as I told you, we are not allowed to use any external source that is not included and audited previously by a special security entity.
Given there have been a number of security and remote crasher issues fixed since that release, one would have to seriously question the efficacy of company's system.
To be fair, one should add that SUSE is backporting security fixes to their version.
While I sometimes backport patches not yet released in 2.4.x series I think backport patching imposes higher risks and should generally be avoided for various reasons.
It's also not clear to me how closely SUSE maintainers are monitoring upstream changes or whether backport patches are only added in case a SUSE customer sent in a suffcientely specific support request. They will definitely add a patch for a security issue with CVE-Ids assigned, but not everyone had one.
Moreover at least one customer-fix patch, also added to openSUSE package, was so obscure that I've branched openSUSE package openldap2 and maintain that without obscure backport patches.
BTW: You can check how package openldap2 is built for upcoming SLE15SP3 in the openSUSE Leap 15.3 repo because both will be binary-compatible from that version on: