PCI compliance

FWIW: As someone who's gone through many, many rounds of proving PCI compliance, I can say that, yes, it's a hassle proving, each time, that your installed version of a security-sensitive package includes backported fixes not reflected in its publicly scan-able version number. I've worked out a routine where I keep handy a canned response that I can quote to answer that objection, which I haul out each testing cycle, with only minimal use of everyone's time.

Rick Moen
rick@linuxmafia.com