[CentOS-devel] Publish Errata for CentOS

Wed Jan 21 15:00:09 UTC 2015
Johnny Hughes <johnny at centos.org>

On 01/21/2015 05:28 AM, Karanbir Singh wrote:
> On 01/20/2015 05:55 AM, Somers-Harris, David | David | OPS wrote:
>> I just found out that the guys over at Fedora are publishing Errata for EPEL
>>
>> https://dl.fedoraproject.org/pub/epel/6/x86_64/repodata/
>>
>> Is anything stopping us from asking them how they are doing it and doing it the same way?
> 
> the question isnt 'how' its just a xml file, you can write it by hand if
> you wish. the question is what do we put inside it and how do we make
> sure what we put inside it is accurate.

Not the least of which is ... the CentOS team does not normally verify
that a CVE is actually fixed.  We build the RHEL Source code when they
release it.

Red Hat tracks CVEs and fixes issues and puts out source code.  They
also provide assurance that a CVE is fixed, etc.  The CentOS team builds
what they release, but we does NOT provide any assurance that there was
a issue or that it is fixed.  We provide a link so that people can read
for themselves the issues that Red Hat found and what Red Hat did to fix
the issue and the code that we rebuilt.

What we don't do is make any claims that anything is fixed.  Users need
to test for the existence and/or mitigation of any issues when using
CentOS Linux. If one wants quality assurance and a service level
agreement that issues are researched and fixed, that is why RHEL costs
money and it is the assurance that Red Hat provides.




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20150121/e44bb07e/attachment-0008.sig>