3

Ubuntu version numbers don't match the rest of the space, and it's not clear why they don't or how they actually work.

For instance, there's openSSL 1.0.1n and 1.0.1f-1ubuntu9.8

What's the reasoning for this? What does the ubuntu part of the version number mean? I'm not asking why 1.0.1n isn't available yet, I'm asking why the equivalent (in terms of security patches) has a name that cannot be compared.

Vynce
  • 173
  • And possibly http://askubuntu.com/questions/100852/why-ubuntu-sources-are-different-to-the-originals/, http://askubuntu.com/questions/26507/whats-the-significance-of-0ubuntu1-at-the-end-of-a-package-version-string/26508?s=2|0.3074#26508 – muru Jul 14 '15 at 00:05

1 Answers1

6

As you probably know, Ubuntu is a fork of Debian. This means that per each version of Ubuntu lots of packages come from the Debian version on which that Ubuntu version is based. The trailing nomenclature is added to keep track of the history of the package.

  • 1.0.1f: this is plainly the version of OpenSSL included in the package;
  • 1: this is the Debian version of the package; 0 would have meant that the package was not present in Debian and that the package was added to Ubuntu by Canonical; its absence would have meant that the package was added by Debian itself, rather than deriving from an upstream;
  • ubuntu: this means that the package has been updated from the Debian version of the package; it's absence would have meant that the package wasn't updated from the Debian version of the package (i.e. that the Debian package was included directly without modifications);
  • 9.8: this is the version of the Ubuntu package

So openssl-1.0.1f-1ubuntu9.8 is revision 9.8 of the openssl Ubuntu package, which is based on revision 1 of the openssl Debian package, and which contains OpenSSL 1.0.1f.

You can find more information on the Debian packages' version numbering here or by running the command man 5 deb-version.

Jared Beck
  • 143
kos
  • 35,891
  • 2
    All of which is described in man 5 deb-version. – muru Jul 14 '15 at 00:32
  • 1
    The debian version (ie "1") is optional and doesn't appear in some cases, such as when the package originates from Debian itself, rather that Debian receiving it from an upstream. The bit about adding an "ubuntu" suffix is not described in that man 5 deb-version. I assume there is still a hyphen before "ubuntu" if there is no debian version. – thomasrutter Jul 14 '15 at 00:46
  • so there's no way to directly compare for purposes of, say, security updates? – Vynce Jul 14 '15 at 00:51
  • 2
    @Vynce nope. Read the changelogs. – muru Jul 14 '15 at 01:02
  • @thomasrutter Thanks, I've mentioned that the 1 or 0 are optional; I guess that's because man 5 deb-version's purpose is to describe Debian packages' version numbering rather than Ubuntu packages' version numbering. – kos Jul 14 '15 at 01:02
  • 1
    @thomasrutter The ubuntuX suffix is still part of the debian revision field as defined by the manpage, irrespective of whether Debian has released a revision, so yes, it has to have a hyphen before it. – muru Jul 14 '15 at 01:03
  • 2
    @Vynce, there is a well-defined algorithm APT uses for comparing two version strings to find which one is the "newer". For the most part it is alphabetical order, but with special handling of numbers and of the '~' character among other things. That said, a version being "newer" doesn't always mean it has fixed more vulnerabilities, as muru said - you need to read changelogs. Certainly, if you have the usual repos in your sources.list, Debian/Ubuntu always try to ensure that your package manager will never update from a better to a worse version in terms of vulnerabilities, by policy. – thomasrutter Jul 14 '15 at 01:10