Why RedHat doesnt support Higher Versions of Subversion

Tue Mar 17 23:35:51 UTC 2015

Thank you so much Fernando, that was exactly what I was looking for :)
Much appreciated.

Thanks,
Versha

From: redhat-sysadmin-list-bounces at redhat.com [mailto:redhat-sysadmin-list-bounces at redhat.com] On Behalf Of Fernando Lozano
Sent: Tuesday, 17 March 2015 11:49 PM
To: redhat-sysadmin-list at redhat.com
Subject: Re: Why RedHat doesnt support Higher Versions of Subversion

Hi Versha,

Brief context from our side:
We are basically using RHEL6 for our build infrastructure, and as a part of Vulnerability management we found  that Subversion1.6 is no longer supported by Apache and we need to upgrade it to a higher version like 1.7 or 1.8 .
That is why I was looking forward for some authentic information to proceed with a proper reason in this area.
Subversion 1.6 may not be supported anymore by Apache Foundation, but it is supported by Red Hat itself. If there's any security or stability fix released for newer Subversion, Red Hat has a contractual agreement with you to backport those fixes to the older Subversion included in RHEL. This is part of your subscription.

>From a legal standpoint Red Hat support is better than Apache support because the first is assured by a contract (your subscription agreement) and comes with well defined SLA terms. Apache support provides no assurances. Do you have a support contract with Apache Foundation? You as a Red Hat customer can open support tickets for subversion and Red Hat may well develop fixes and patches itself, before Apache. Those patches will later be submitted to Apache so they become part of the upstream Subversion.

You can check if you downloaded the lastest Subversion updated released by Red Hat and use:
# rpm -i --changelog subversion | grep -i cve
to look for specific vulnerabilities fixed and so you can prove you already have vulnerabilities fixed by newer Subversion from Apache.

Also, do you have any idea when Redhat  is going to have a higher version of apache Subversion in near future? :)

As someone already explained, the stability / compability / certification assurance from your RHEL subscription implies Red Hat will only update major versions of most packages on a new RHEL series. So you'd have to move to RHEL7 if you really need a newer subversion, but If your problem is just satisfying a security audit you should be fine with RHEL6 updates.

Someone also already explained you can get a (free?) subscription to software collections to get newer releases for some packages, but I don't know if those include Subversion and if those are subject to the same support terms as regular RHEL packages.

[]s, Fernando Lozano
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/redhat-sysadmin-list/attachments/20150317/f921f1e9/attachment.htm>