Once upon a time, Michael Catanzaro <mcatanzaro@xxxxxxxxxx> said: > So here is the reality with security updates. The vast majority of > security updates are shipped in RHEL 3-9 months after we fix them, > because minimizing the quantity of updates is an important goal in > RHEL to reduce update churn for customers, so we only want to > release quick fixes for issues that pose serious risk. (Most > security issues are just not very urgent.) This means you get most > security fixes drastically sooner in CentOS Stream than you would in > RHEL. However, higher-severity security updates do get fixed in RHEL > first. Developers are not permitted to fix higher-severity security > issues in CentOS Stream until after the fix is shipped in at least > one RHEL update. We're encouraged to do so immediately after the fix > ships in RHEL, so there *should* only be a minor delay of, say, one > or two business days for the developer to notice the update has > shipped. So in general, CentOS Stream *should* generally be ahead of > RHEL and ideally only slightly behind for the more serious CVEs. > > But in practice, we actually currently have a lot of desynced > packages where RHEL is ahead of CentOS Stream for various reasons. I > believe most such cases are mistakes that need to be corrected, not > intentional delays. E.g. if a particular developer just forgets to > fix the CVE in CentOS Stream, currently nobody is checking to catch > that and complain and get things fixed. Red Hat needs to catch and > fix these issues proactively, but is not currently doing so. Since > only Red Hat is able to commit to CentOS Stream, the community is > limited to tracking desyncs and complaining when it happens. (That > would be really valuable to do IMO.) Seems like some tooling/notifications might could help with that, although that type of work is rarely interesting enough to get resource assignment in the business world (and since all of this is done behind Red Hat's curtain, there's AFAIK no path for community involvement). I guess a non-Hatter could use a dev subscription to compare RHEL content to CentOS Stream content and note differences (and file BZes I guess?). Is there any chance of having a CentOS Stream repo along the lines of Fedora's updates-testing, so that CVEs at least would have some type of available update in a timely manner? With 7 there's the fasttrack repo, but it doesn't actually seem to be used currently (and IIRC wasn't ever a "testing" type channel). -- Chris Adams <linux@xxxxxxxxxxx> _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
