On 16/12/16 12:08, Karanbir Singh wrote:
On 16/12/16 10:49, Trevor Hemsley wrote:
7.3.1611 took 39 days from the upstream release which is 2 weeks longer than the previous el7 drops.
I am going to try and work this out - plan on doing a better teardown and work through the issues early Jan once this release has settled. We got a few things right, a couple of things went sideways. But I agree, we should aim to turn around a major release in 15 days or less.
I'm pretty new to CentOS: since only the last official release is supported, does this mean that users get no security updates at all during the time frame between Red Hat's official RHEL 7.3 release and the availability of our rebuild? Something like 15 days ideally, or 39 days in this particular instance? If this is true, perhaps we should enable the CR repo by default, at the risk of stuff breaking?
During the normal lifetime of a point release, security updates normally become available 24-72 hours after Red Hat publishes the fixes - has that changed recently?
Another issue with security updates is how long it sometimes takes for them to arrive in our SCL repositories. In one case, there was a delay of 4 months for PHP[1] and I also remember a critical fix for Python 3 taking several weeks. Couldn't we get some sort of notification on new commits in Red Hat's public repo?
[1] https://www.redhat.com/archives/sclorg/2014-November/msg00008.html [2] https://www.redhat.com/archives/sclorg/2014-November/msg00005.html
The latest https://rhn.redhat.com/errata/RHSA-2016-2946.html which is a critical update for firefox released on the 14th is still not released for CentOS 7 after 2 days.
The original advisory[3] for Firefox 50.1 lists a few more CVEs than Red Hat's bulletin (the critical security fixes are backported by Mozilla in the ESR version "where feasible", which is why the Canonical Security Team decided to offer the normal Firefox releases in Ubuntu LTS, not the ESR ones). [4]
[3] https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/ [4] http://www.chriscoulson.me.uk/blog/?p=111
Best regards, Laurențiu