On 10/31/2014 08:10 PM, Kurt Seifried wrote:
I'd like to see your numbers on this. CentOS tracks RHEL pretty quickly, Debian is pretty good but not somehow magically better/faster all the time on security updates.
Debian can be faster for three reasons: lack of QA, ability to do embargoed builds (unlike Fedora and CentOS), and direct package pushes to the centrally hosted security.debian.org repositories.
Debian can push emergency fixes in roughly twice the build time plus ~15 minutes (for repository push and mailing list notification). After that, the packages are ready for installation, world-wide, independent of the local mirrors used. Embargoed builds (for non-emergencies) hide the build time.
For Fedora, updates become available on mirrors as they sync with the master repositories, so there is a longer delay than 15 minutes. There is also a tool-supported QA process which can add delays as well (but this may be a good thing in some cases).
However, this delays are less relevant than the decisions (explicit or otherwise) which security updates to provide. In Fedora, it is pretty much up to the package maintainer (who will receive gentle prodding in case people care), rebases to new upstream version are generally accepted, and security bugs of any severity can be fixed. For Debian stable, the security team triages bugs based on their severity, and only a subset is fixed through a formal security update (minor issues can be corrected through regular bug-fix updates), and there is a general requirement to do backporting (which is more work for everyone involved).
In short, you'll see fixes for slightly differing sets of bugs, and which set is better, is difficult to tell without knowing your specific use case.
-- Florian Weimer / Red Hat Product Security -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
