Why RedHat doesnt support Higher Versions of Subversion

Fernando Lozano fernando at lozano.eti.br
Tue Mar 17 12:48:46 UTC 2015 

Hi Versha,
>  
>
> Brief context from our side:
>
> We are basically using RHEL6 for our build infrastructure, and as a
> part of Vulnerability management we found  that Subversion1.6 is no
> longer supported by Apache and we need to upgrade it to a higher
> version like 1.7 or 1.8 .
>
> That is why I was looking forward for some authentic information to
> proceed with a proper reason in this area.
>
Subversion 1.6 may not be supported anymore by Apache Foundation, but it
is supported by Red Hat itself. If there's any security or stability fix
released for newer Subversion, Red Hat has a contractual agreement with
you to backport those fixes to the older Subversion included in RHEL.
This is part of your subscription.

From a legal standpoint Red Hat support is better than Apache support
because the first is assured by a contract (your subscription agreement)
and comes with well defined SLA terms. Apache support provides no
assurances. Do you have a support contract with Apache Foundation? You
as a Red Hat customer can open support tickets for subversion and Red
Hat may well develop fixes and patches itself, before Apache. Those
patches will later be submitted to Apache so they become part of the
upstream Subversion.

You can check if you downloaded the lastest Subversion updated released
by Red Hat and use:
# rpm -i --changelog subversion | grep -i cve
to look for specific vulnerabilities fixed and so you can prove you
already have vulnerabilities fixed by newer Subversion from Apache.

>  
>
> Also, do you have any idea when Redhat  is going to have a higher
> version of apache Subversion in near future? J
>
>  
>
As someone already explained, the stability / compability /
certification assurance from your RHEL subscription implies Red Hat will
only update major versions of most packages on a new RHEL series. So
you'd have to move to RHEL7 if you really need a newer subversion, but
If your problem is just satisfying a security audit you should be fine
with RHEL6 updates.

Someone also already explained you can get a (free?) subscription to
software collections to get newer releases for some packages, but I
don't know if those include Subversion and if those are subject to the
same support terms as regular RHEL packages.


[]s, Fernando Lozano

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/redhat-sysadmin-list/attachments/20150317/03ba0aea/attachment.htm>

More information about the redhat-sysadmin-list mailing list