[CentOS-devel] CentOS-[56] Continous Release
Ljubomir Ljubojevic
office at plnet.rs
Tue Jun 21 22:41:06 UTC 2011
Les Mikesell wrote:
> On 6/21/2011 3:00 PM, Ljubomir Ljubojevic wrote:
>> Les Mikesell wrote:
>>> So, if you were managing an internet connected host running CentOS,
>>> would you configure it to track the CR repo or not? Or what criteria
>>> would you use to make this decision? I'm still having trouble seeing
>>> why, if upstream decided they should go out, that someone running what
>>> is essentially identical to that upstream code doesn't need them for the
>>> same reasons. Or why to think the risk of installing them outweighs the
>>> risk of continuing to run what upstream had its reasons to replace.
>> We are not talking about regular updates, but **only** the time between
>> RHEL point release and CentOS point release. So completed packages do
>> not wait for *all* packages and ISO's to be released, but are available
>> as soon as QA team approves them.
>> If there is fundamental error for a base package that requires for some
>> of those packages to be recompiled, we need to have some kind of
>> automatic protection for that case scenario.
>
> That doesn't address the risk of *not* installing these updates.
> Generally speaking, I think most users of CentOS trust upstream's
> choices and for me that includes when it is time to fix the bugs they
> shipped last time around. And generally speaking, I trust the CentOS
> project to be able to recompile working source and catch obvious
> mistakes before pushing them out.
>
> So, again, under what circumstances does anyone think it is a good idea
> to not opt into this repo and instead keep running code that will very
> likely have published exploits over a time span that we've seen can run
> for months? I agree that this is a fuzzy area where not all of the
> point release updates address vulnerabilities or even serious bugs, but
> some certainly will. It just seems to me that not doing them is betting
> against the upstream wisdom or the project's building/QA capability.
> But I also agree that yum should be smarter and know something about
> rebuilds with no source change.
>
I finally understand what you are talking about.
Who said anything about not releasing critical updates as soon as srpms
are available (in "updates" repo)? I am sure that every security patch
will still be released as soon as it is rebuild, unless it requires a
package that has build problems that will actually hold entire build
process, in which case even CR repo will not help.
Ljubomir
More information about the CentOS-devel
mailing list