On 12/15/2016 06:43 PM, Phil Wyett wrote:
How is the core SIG looking at improving and speeding up (more than one person) builds of updates? As I see it the longer the time between vendor release and CentOS release people know that we are hittable if they have a viable exploit?
I'm trying to not come across too harshly, but if you need a guaranteed speed of update, then you need to purchase an RHEL subscription.
The same source that is being rebuilt for CentOS is publicly available, and there is nothing preventing you from rebuilding it at the speed you need.
From my point of view I'm happy just getting the updates at any time, even if there is a delay in release. If I want better speed of updates, I buy RHEL subscriptions (and I do have one personally for a critical machine). Or I rebuild from the same sources that CentOS uses, although I have found that the CentOS developers almost always beat me to getting packages built, even when I do try to do the rebuild myself. (As Johnny alluded to, it's not just 'take this group of sources and build in any arbitrary order' and the so-called point releases can be much more difficult than ordinary updates due to build order puzzles.)
The CentOS developers have, in my opinion, done a fantastic job of turning out timely updates since 6.0/5.6/4.9 days, and I am personally and professionally grateful for the time spent, at no cost to me, for this to happen.