Policy for updating applications in Leap versions?

Hi All,

I was wondering what is the openSUSE policy for updating applications in Leap versions?
openSUSE being my favorite distro, I wanted to install Leap 15.1 for a non tech-oriented family member so he can also start on the opensource track. I was planning to setup some folder sync for him with syncthing, but then I realized the **syncthing version in Leap 15.1 is 0.14.46, which is almost 2 years old!!

**I would like to ask:

  • is it normal to have such outdated packages in Leap?
  • what happens with security/critical bug fixes? in this case (syncthing) we are dealing with handling of critical private data / files, after all…
  • are there maybe some mandatory backports for these packages, or it only depends on the maintainer?
  • the description for Leap is “new and experienced Linux users get the most usable Linux distribution and stabilized operating system with openSUSE’s regular release. Receive updates and harden your OS
    with openSUSE’s latest major distribution.”[LIST]
  • it is quite concerning that even though this motto is very reassuring, in reality we cannot just simply leave new users on the hands of Leap, because they might be using a very **outdated/buggy/security nightmare version **
    of some software…

[/LIST]

Syncthing is just a select example, but there might be others… I don’t think a new dummy user can track this for himself… What do you suggest, what is the approach here?

Thank you,
Best Regards,
vetko

Hi
Generally there are no feature updates to applications, security and bug fixes only, Leap 15.2 will have the 5.3.x kernel though.

More info here: https://en.opensuse.org/Portal:Leap

If there is security/critical bug in the version included in Leap 15.1 you should open bug report. If you are interested in having more actual version in Leap 15.2, you should contact syncthing maintainer. The package itself appears actively maintained in network repository:

bor@bor-Latitude-E5450:~$ osc maintainer -e syncthing
Defined in package: network/syncthing 
  bugowner of syncthing : 
   -


  maintainer of syncthing : 
   sor.alexei@meowr.ru


bor@bor-Latitude-E5450:~$ 

For Leap 15.1 it is likely too late, in the meantime you could install more up to date version from network repository.

Contrary to popular belief non technical users do well with Tumbleweed. When using e.g. KDE you may remove and lock the Software Update Manager for Plasma. You can postpone updates until you actually need them. Acquaintances using Tumbleweed are fine with this policy.

erlangen:~ # zypper info syncthing
Loading repository data...
Reading installed packages...


Information for package syncthing:
----------------------------------
Repository     : openSUSE-20191106-0
Name           : syncthing
Version        : 1.4.2-1.1
Arch           : x86_64
Vendor         : openSUSE
Installed Size : 33.3 MiB
Installed      : No
Status         : not installed
Source package : syncthing-1.4.2-1.1.src
Summary        : Continuous File Synchronisation
Description    : 
    Syncthing is an application that synchronises files across multiple
    devices. This means the creation, modification or deletion of files
    on one machine will automatically be replicated to other devices.

erlangen:~ # 

is it normal to have such outdated packages in Leap?

yes, the packages are so old and older as the openSUSE Verion is build. But they are working…

what happens with security/critical bug fixes? in this case (syncthing) we are dealing with handling of critical private data / files, after all…

You will get updates/security fixes to the Version delivered with the Release

are there maybe some mandatory backports for these packages, or it only depends on the maintainer?

They are backported.

the description for Leap is “new and experienced Linux users get the most usable Linux distribution and stabilized operating system with openSUSE’s regular release. Receive updates and harden your OS with openSUSE’s latest major distribution.”

That does not mean you are getting the newest Versions of sources, but the one who are working.

it is quite concerning that even though this motto is very reassuring, in reality we cannot just simply leave new users on the hands of Leap, because they might be using a very outdated/buggy/security nightmare version of some software... 

See above.

In other words:
openSUSE will not upgrade a Version to a newer Version while running a Release. They will backport bugfixes and bugfix the Verison while the Release is running.
There are only a few packages that will be upgrade because of the policy by the developers, firefox etc.

@vetko
Maybe you are not the person where Leap is aimed for. When you want newest versions of software only because they are the newest, then go for Tumbleweed. It is very stable in the sense that it seldom breaks down on updates.

As explained above, Leap software does net get newer versions, but it gets security and recommended patches, mostly backported to the versions released with a Leap version. This brings a stable environment for the Leap users. To exegerate a bit, they hate getting new versions of software that may have new features they did not ask for, but that nevertheless disturb them with changes user interfaces, changed behaviour and other things that interfere with there day-to-day work. That is another stability then the stability mentioned above for Tumbleweed.