Re: CentOS Stream, RHEL, and Fedora [was Re: What is Fedora?]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 
On Sat, Jun 24 2023 at 08:53:32 AM -0500, Chris Adams <linux@xxxxxxxxxxx> wrote:
Is it? At one point, there were considerable gaps in security updates; 
RHEL 9.x would get an update while CentOS Stream 9 (as the target for
RHEL 9.[x+1]) didn't get a corresponding update for quite a while.  If
Stream doesn't get security updates in a timely fashion, it is not at
all suitable for production use.
So here is the reality with security updates. The vast majority of security updates are shipped in RHEL 3-9 months after we fix them, because minimizing the quantity of updates is an important goal in RHEL to reduce update churn for customers, so we only want to release quick fixes for issues that pose serious risk. (Most security issues are just not very urgent.) This means you get most security fixes drastically sooner in CentOS Stream than you would in RHEL. However, higher-severity security updates do get fixed in RHEL first. Developers are not permitted to fix higher-severity security issues in CentOS Stream until after the fix is shipped in at least one RHEL update. We're encouraged to do so immediately after the fix ships in RHEL, so there *should* only be a minor delay of, say, one or two business days for the developer to notice the update has shipped. So in general, CentOS Stream *should* generally be ahead of RHEL and ideally only slightly behind for the more serious CVEs.
But in practice, we actually currently have a lot of desynced packages where RHEL is ahead of CentOS Stream for various reasons. I believe most such cases are mistakes that need to be corrected, not intentional delays. E.g. if a particular developer just forgets to fix the CVE in CentOS Stream, currently nobody is checking to catch that and complain and get things fixed. Red Hat needs to catch and fix these issues proactively, but is not currently doing so. Since only Red Hat is able to commit to CentOS Stream, the community is limited to tracking desyncs and complaining when it happens. (That would be really valuable to do IMO.) 

Michael

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux