On 6/24/23 11:05, Michael Catanzaro wrote: > > On Sat, Jun 24 2023 at 08:53:32 AM -0500, Chris Adams > <linux@xxxxxxxxxxx> wrote: >>> Is it? At one point, there were considerable gaps in security >>> updates; >> RHEL 9.x would get an update while CentOS Stream 9 (as the target for >> RHEL 9.[x+1]) didn't get a corresponding update for quite a while. If >> Stream doesn't get security updates in a timely fashion, it is not at >> all suitable for production use. > > So here is the reality with security updates. The vast majority of > security updates are shipped in RHEL 3-9 months after we fix them, > because minimizing the quantity of updates is an important goal in RHEL > to reduce update churn for customers, so we only want to release quick > fixes for issues that pose serious risk. (Most security issues are just > not very urgent.) This means you get most security fixes drastically > sooner in CentOS Stream than you would in RHEL. However, > higher-severity security updates do get fixed in RHEL first. Developers > are not permitted to fix higher-severity security issues in CentOS > Stream until after the fix is shipped in at least one RHEL update. > We're encouraged to do so immediately after the fix ships in RHEL, so > there *should* only be a minor delay of, say, one or two business days > for the developer to notice the update has shipped. So in general, > CentOS Stream *should* generally be ahead of RHEL and ideally only > slightly behind for the more serious CVEs. What about stuff that is too urgent to wait on Red Hat QA? There have been vulnerabilities (such as CVE-2013-0156 and Log4Shell) for which unauthenticated, fully automated, remote code execution exploits have been found very, _very_ quickly. There may well be times when attackers can write and use an exploit faster than Red Hat QA can process an update. For these vulnerabilities waiting on Red Hat QA is not an option. -- Sincerely, Demi Marie Obenour (she/her/hers) _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
