# Does gentoo backports patches like centos and redhat?

## Cyberstudio

Hi guys!

I was wondering, does gentoo backports security patches? im thinking in packages like firefox, the kernel, apache, etc. right now i have firefox 31.5.3 (from source, stable from the tree), but the "real" firefox is 37.0.1! does that mean that im vulnerable to all the security bugs that where fixed after my 31.5.3? or my 31.5.3 has all those security bugs fixed with backports for those patches?

I know that redhat does backports (and debian too i guess?), so i was wondering about gentoo, since some packages can take a while to be marked as stable.

thanks!

----------

## mv

 *Cyberstudio wrote:*   

> I was wondering, does gentoo backports security patches?

 

No.

And, BTW, since nobody knows for sure what might be a security bug or another bug, you cannot rely to backports too much anyway. There was just recently a blog about this on gentoo planet somewhere, how e.g. a lack of a new SSL protocol might be a much worse security bug, but you will never receive this as a backport, because it involves too deep changes in the code.

 *Quote:*   

> im thinking in packages like firefox, the kernel, apache, etc.

 

I would reommend to run always ~arch with these packages (and other ones like nss which are security relevant).

OTOH, nobody knows: Running ~arch always also means potentially running new bugs - also new securtiy bugs.

Some (upstream) projects have a policy to backport patches, however. IIRC, firefox does have such a policy, but I am not sure. There are also the long-tmie supported kernels. I think gentoo tries to follow these in their stabilization policy.

----------

## Cyberstudio

So i guess its safer if i move both kernel and firefox to ~amd64

Thanks!

----------

## ulenrich

I would follow what upstream says: 

www-client/firefox-31.6.0 should have the security fixes and should run well using Gentoo-stable

sys-kernel/vanilla-sources-3.18 is the latest longterm on kernel.org. 

Cannonical,Debian somewhere provide a vcs tree of security patched linux-3.16. Debian announces general patches distinct from distribution specific if you try: apt-get source ...

----------

## toralf

 *Cyberstudio wrote:*   

> So i guess its safer if i move both kernel and firefox to ~amd64
> 
> Thanks!

 I do run a hardened unstable kernel here at my desktop and my server w/o any problems since few months.

Consider such a kernel as an alternative to the stable one.

----------

## ulenrich

 *toralf wrote:*   

>  *Cyberstudio wrote:*   So i guess its safer if i move both kernel and firefox to ~amd64
> 
> Thanks! I do run a hardened unstable kernel here at my desktop and my server w/o any problems since few months.
> 
> Consider such a kernel as an alternative to the stable one.

 

@toralf 

I remember having read "hardened-sources" is "no good" for the desktop. 

But I just changed my graphics driver back from proprietary nvidia to opensource nouveau. 

Would that suffice to successfully change to hardened? 

What are the limitations you know about?

----------

## toralf

 *ulenrich wrote:*   

> What are the limitations you know about?

 I do just have a i915 graphics here -and I do not play any video/*games. There aren't any limitations I' aware off, but it is up to you to test a hardened kernel.

Maybe you#d ask in #gentoo-hardened in IRC (freenode) for details ?

----------

## NeddySeagoon

I've run ~arch since the middle of 2002.

You need to be prepared for the odd nasty surprise but things are much better than they were.

~arch is no longer the hotbed of development it once was.  Much of that has moved to overlays.

Mixing arch and ~arch might be worse than all ~arch. It all depends on the mix.

For ~arch, don't update when you must have a working system. You might not.

Set FEATURES=buildpkg, so you can downgrade quickly if you need to.

----------

