[CentOS-devel] yum-security and CentOS-5 / 6
a.rogge at solvention.de
Thu Aug 16 12:10:38 UTC 2012
Am 08.08.2012 12:08, schrieb Karanbir Singh:
> hi Andreas,
> On 08/02/2012 12:54 PM, Andreas Rogge wrote:
>>> step1: get a basic set of metadata online so that people can detect if
>>> an update is tag'd security, bugfix or enhancement
>> That's probably what 90% of people will be happy with.
> interesting. are you saying that most people are not interested in
> tracking specific CVE's etc ?
In fact most people I know are only interested in wether the
patches/updates they're missing fix a security issue or not. More
information is interesting, but not crucial.
The question usually is: should I install these right now or can I wait
In fact some of my customers only install bugfixes in one batch with
> problem with the new layout is that every mirror will now need ~ 1TiB of
> storage ( compared with the ~ 80 GB needed now ); with hardlinking
> aggressively, we could bring that down to about 600GB or so, but its
> still way too much.
Point taken. But then we can just take another approach placing the
> Lets only consider doing that if there is realistically no way to fix
> the problem without making that big a change to mirroring requirements.
I'd strongly discourage the use of vault.centos.org for stuff like that
and there's a rather simple way to get around changing anything on the
> the plan is to have the generation code hard wired into the script which
> pushes rpms to the updates/ repo. that should mostly solve the problem
> going forward; for retrospective updates and for rpms released into the
> base os at point release time, i think it will haveto be a manual effort
> for now. Maybe we can try and get some level of smartness sorted for 6.4
> and beyond, but for now it will need to be a manual effort ( which I am
> trying to reduce as much as possible ).
We could have some kind of repository containing all the updateinfo
snippets (Wiki, Database, git repo, you-name-it). When generating the
repository metadata you just pull all snippets that mention any of the
rpms in your repo and assemble your updateinfo.xml.
While doing that you'll immediately find all rpms that lack updateinfo.
> as far as I can tell that -<release> for errata is to handle internal RH
> oops' rather than something that is exported publicly. Once something is
> marked as public, they dont increment the release number, which is good.
> The only exception I have seen to that is when they update releaes to
> change grammar or text within a release announcement. A real fix or
> change to the packages would have to be via a new errata notice.
I know how it works for RH. Problem is: we don't have anything like
that. First time you ship something broken that needs to be fixed the
CentOS numbering scheme will break.
Also there's currently no way to name Errata for the centosplus and/or
Solvention Ltd. & Co. KG
Tel: +49 2203 989967-0
Fax: +49 2203 989967-9
mailto:info at solvention.de
More information about the CentOS-devel