On Jun 24, 2023, at 8:05 AM, Michael Catanzaro <mcatanzaro@xxxxxxxxxx> wrote: > > On Sat, Jun 24 2023 at 08:53:32 AM -0500, Chris Adams > <linux@xxxxxxxxxxx> wrote: >>> Is it? At one point, there were considerable gaps in security >>> updates; >> RHEL 9.x would get an update while CentOS Stream 9 (as the target for >> RHEL 9.[x+1]) didn't get a corresponding update for quite a while. If >> Stream doesn't get security updates in a timely fashion, it is not at >> all suitable for production use. > > So here is the reality with security updates. The vast majority of > security updates are shipped in RHEL 3-9 months after we fix them, > because minimizing the quantity of updates is an important goal in RHEL > to reduce update churn for customers, so we only want to release quick > fixes for issues that pose serious risk. (Most security issues are just > not very urgent.) This means you get most security fixes drastically > sooner in CentOS Stream than you would in RHEL. However, > higher-severity security updates do get fixed in RHEL first. Developers > are not permitted to fix higher-severity security issues in CentOS > Stream until after the fix is shipped in at least one RHEL update. > We're encouraged to do so immediately after the fix ships in RHEL, so > there *should* only be a minor delay of, say, one or two business days > for the developer to notice the update has shipped. So in general, > CentOS Stream *should* generally be ahead of RHEL and ideally only > slightly behind for the more serious CVEs. With this development model, what is the thought for those who may want to / be able to submit pull requests to CentOS Stream with security fixes? _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
