Amos Shapira wrote: > Hello, > > So I've watched a few threads about the new 5.0 vs. 5.1 upgrade and > have a couple of (hopefully) practical questions about this: > > Context - I'd like to stick to 5.0 at least for a while until the dust > around 5.1 settles down (and I'm back from holidays). > As an example - In Debian, as long as I stick to "stable" I can be > sure that the only updates I receive there are for heavily tested very > important bugs and security issues, so I should generally apply them. > > 1. If I read the FAQ correctly, in order to force yum to stay with 5.0 > should I just manually edit /etc/redhat-release from: > > CentOS release 5 (Final) > > to: > > CentOS release 5.0 (Final) > > (i.e. add ".0" to the version)? If not then what should I do? > > 2. I am hoping that yum-security will allow me to stick to the latest > security updates for 5.0 without forcing me to upgrade to 5.1 until > the dust settles down. Am I correct that this is possible with > yum-security and the repositories provided by CentOS? Will "yum update > --security" update packages with later versions only if those versions > fix security issues? Are security updates maintained for 5.0? Here is > what I get right now on one of my systems (without doing the change I > asked about in (1)): > > # yum --security list updates > Loading "security" plugin > Loading "installonlyn" plugin > Setting up repositories > base 100% |=========================| 1.1 kB 00:00 > updates 100% |=========================| 951 B 00:00 > addons 100% |=========================| 951 B 00:00 > extras 100% |=========================| 1.1 kB 00:00 > Reading repository metadata in from local files > Limiting package lists to security relevant ones > No packages needed, for security, 196 available > > If I drop the "--security" flag I indeed get a list of196 packages to upgrade. > > So to clarify my question - is my system secure (in terms of package > versions) by sticking to "yum update --security"? > > Thanks, > > --Amos I would also like to address this whole subtree (or z series) issue. First ... The upstream guys have not offered this service yet. When they do, it will offer a subset of updates for some people who really want to have only a very small subset of updates for their equipment for 18 months. It is explained fully (at least as it has been explained to us) in this post to the list: http://lists.centos.org/pipermail/centos/2007-December/091189.html Second ... Since this is not really implemented (in practice) by upstream, it is currently vaporware. When they implement it, then we can see in practice what they actually do and emulate it. Third ... What happens to the 5.1.3 people (automatically) at the "5.1.3 EOL / 5.5" point is the one major issue that I see as problematic. I would guess that they would move up to the 5.2.3 tree ... then on the 5.6 release (5.2.3 EOL), they would have to move up to the 5.3.3 tree ... then on 5.7 (5.3.3 EOL) to the 5.4.3 tree, etc. What to do to those people automatically is critical, and we will have to see what upstream does to make our decision. If upstream stays as conservative as they currently are between point releases (ie, 5.0 to 5.1, 5.1 to 5.2), moving from 5.1.3 to either 5.2.3 OR 5.5.0 should be equally possible. However, I have heard tell of things between point release sets MAYBE becoming a bit less conservative between the 5.1 and 5.2 branches after they get the z series stuff implemented. If that is the case, then moving between branches MAY become a little bit harder. HOWEVER, until the vaporware becomes reality and until we can actually see what the version schemes REALLY DO (and if the changese between branches become less conservative), this whole thread is just speculative conjecture. Let's see the programs in action and see what happens at 5.1.3 EOL time, etc. In the mean time, people who want security updates need to do what they RHEL people did ... update. There is no channel for the upstream people to do only security updates right now, they run yum and they get all the latest updates ... the same thing happens in CentOS. Also ... the "yum --security" feature would only tell you CVE and other security information about a package. It does not actually perform security only updates, it just provide security information if a package is a security update. As posted in other places in this thread and the 5.1 release notes, the CentOS version of yum does not have this feature. Thanks, Johnny Hughes
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
