<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 1, 2017 at 11:37 AM, Laurentiu Pancescu <span dir="ltr"><<a href="mailto:lpancescu@gmail.com" target="_blank">lpancescu@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Never mind, I just found an up-to-date build in CBS, from Jan 18th, with all the security fixes. So they are apparently being closely tracked by the PaaS SIG.<br></blockquote><div><br></div><div>Yes, we attempt to ship security fixes as soon as we possibly can (cc'ing Troy who can provide further info there). The main issue that we run into when using EPEL or Fedora is that once a package update ships, the previous version is no longer available (with the exception of the version shipped in the base repo), so there is no easy way to roll back without providing packages in our repo.</div><div><br></div><div>--</div><div>Jason DeTiberus</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<a href="http://cbs.centos.org/koji/buildinfo?buildID=15268" rel="noreferrer" target="_blank">http://cbs.centos.org/koji/bui<wbr>ldinfo?buildID=15268</a><div class="HOEnZb"><div class="h5"><br>
<br>
On 01/02/17 17:32, Laurentiu Pancescu wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
>From a quick look at the changelog, that particular CBS build is missing<br>
the security fixes from 2.2.1.0 (CVE-2016-9587, CVE-2016-8647,<br>
CVE-2016-9587 and CVE-2016-8647). I understand that we'd probably like<br>
to have full control over when a version upgrade takes place (not to<br>
break things), but we'd need to backport the security fixes. Or isn't<br>
security an issue since cico is an isolated environment?<br>
<br>
The main reason behind my proposal to adopt whatever Fedora packages was<br>
to get security fixes from the security team that handles EPEL and<br>
Fedora. For me, it's still unclear how fast are security fixes landing<br>
in SIG-provided packages.<br>
<br>
But that's certainly your decision to make, I'm fine with it either way. :)<br>
</blockquote>
<br>
______________________________<wbr>_________________<br>
Ci-users mailing list<br>
<a href="mailto:Ci-users@centos.org" target="_blank">Ci-users@centos.org</a><br>
<a href="https://lists.centos.org/mailman/listinfo/ci-users" rel="noreferrer" target="_blank">https://lists.centos.org/mailm<wbr>an/listinfo/ci-users</a><br>
</div></div></blockquote></div><br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><br></div></div>
</div></div>