Am 05.08.20 um 17:55 schrieb Johnny Hughes:
On 8/5/20 10:45 AM, centos@xxxxxxx wrote:
On 05/08/2020 16:49, Johnny Hughes wrote:
On 8/5/20 1:05 AM, centos@xxxxxxx wrote:
On 04/08/2020 23:50, Jon Pruente wrote:
On Tue, Aug 4, 2020 at 11:34 AM <centos@xxxxxxx> wrote:
Q5) If the answer to the last question is "no": shouldn't there be
such
a resource?
CentOS doesn't publish security errata. If you need it then you should
either buy RHEL, or deal with putting together your own set up with
something like http://cefs.steve-meier.de/
I expected just this answer, and we do have a RHEL subscription (and
BTW: thanks for the link). But you missed the main point by omitting the
other questions (especially Q1, Q2 and Q3): There are upstream package
versions that were never rebuilt for CentOS.
For instance: If, for whatever reason, I am required to stay with nginx
1.14.1 then the missing rebuild of the packages mentioned in
RHSA-2019:2799 (https://access.redhat.com/errata/RHSA-2019:2799) would
leave me with a vulnerable system.
The question for an OVAL feed is actually an add-on question: In the
same spirit that is the base for the CentOS project itself: wouldn't
such a feed be a good thing to have? Otherwise your answer could be the
catch-all answer to all questions CentOS: Go get a commercial
subscription. Personally, I think such an answer is not very helpful.
So what do you think about the underlying issue? Under what
argumentation does it NOT constitute to be an issue?
Modules suck .. :)
But that is built and in the repo ..
dnf list 'nginx*'
nginx.x86_64
1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream
nginx-all-modules.noarch
1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream
nginx-filesystem.noarch
1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream
nginx-mod-http-image-filter.x86_64
1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream
nginx-mod-http-perl.x86_64
1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream
nginx-mod-http-xslt-filter.x86_64
1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream
nginx-mod-mail.x86_64
1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream
nginx-mod-stream.x86_64
1:1.14.1-9.module_el8.0.0+184+e34fea82 AppStream
As I have said before .. mbbox (the item used to build modules) adds an
index code (the 184) and a part of the git commit (e34fea82) .. so this
will always be different between RHEL and CentOS .. because we use
different builders and a different git repo. Red Hat's RHEL index code
is 4108 and the git commit is af250afe
Thanks a lot for pointing that out! That explains part of the problem.
The corresponding source RPMs are indeed identical (I checked :-) ), so
the packages were (indeed) rebuilt. That was not at all obvious to me.
OTOH: I probably would have guessed if there had been a corresponding
e-mail to Centos-Announce. At this point, I would like to add that I am
extremely impressed by the CentOS project and that I do not want to
blame anybody for forgetting such an e-mail (or maybe it was just lost
somewhere in SMTP-land) - I just want to state that fact. Thanks for
putting in all that hard work!
With that new knowledge, I also checked my other issues wrt to the
container-tools package: Same module issue. So there is a pattern. But
there is also the pattern that I cannot find the corresponding
CentOS-Announce e-mail. Strange, isn't it?
This still leaves me wondering if there should be an attempt at
providing a CentOS OVAL file similar to the one by RH that is not
generated by taking the upstream file and running some uninspired
sed-script on it, like (for reference):
sed -e 's,/etc/redhat-release,/etc/centos-release,g' -e
's/199e2f91fd431d51/05b555b38483c65d/g'
However, the question could be asked if such an OVAL file would be of
any use, in the light of possibly missing CESA announce e-Mails, because
that advisory information must some be translated into the OCAL XML.
Having said all this: maybe there is some deeper problem here, because
of that pattern of missing announce e-mails that correspond with
packages that differ in the final version number with respect to the
upstream package. Or is this just a coincidence?
We understand that there are no announcements for CentOS 8 .. this (the
modules differences) is precisely the reason why (the names do not match
up and our scripts require that).
We do not have the capability to announce these at the present time.
This is something that needs an engineering solution. Submissions welcome.
I the mean time : https://feeds.centos.org/
--
Leon
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
