--On 06 September 2005 10:16 +0200, Stephan A. Rickauer wrote: >There is one thing I still don't understand. What effort is it to >deliver patches (not backports) longer than just a few month - given >that the overall amount of patches per release is low with OpenBSD >anyway... let's say you have four security relevant patches per >release, then you had 20 in 2.5 years ...
Development does not stand still. There are *huge* differences in some areas of OpenBSD over two years of time. In many cases, some are designed to block new areas of attack, and to clean-up code in a major way. Forcing you to update at least once every two releases is a good way to make sure you benefit from all these changes. And evaluating those changes, and porting back whatever may have some security relevance is too hard. If you prefer: some developer rewrites some code to clean it up at time T. Then a new attack comes up at time T2 that targets that specific area. We discover that OpenBSD is not affected... well, if the gap between T and T2 is greater than two releases, we do not even check that the old code was affected. This happens more often than you would think.
