On 12/16/2016 07:12 AM, Laurentiu Pancescu wrote:
On 16/12/16 12:08, Karanbir Singh wrote:
On 16/12/16 10:49, Trevor Hemsley wrote:
7.3.1611 took 39 days from the upstream release which is 2 weeks longer than the previous el7 drops.
I am going to try and work this out - plan on doing a better teardown and work through the issues early Jan once this release has settled. We got a few things right, a couple of things went sideways. But I agree, we should aim to turn around a major release in 15 days or less.
I'm pretty new to CentOS: since only the last official release is supported, does this mean that users get no security updates at all during the time frame between Red Hat's official RHEL 7.3 release and the availability of our rebuild? Something like 15 days ideally, or 39 days in this particular instance? If this is true, perhaps we should enable the CR repo by default, at the risk of stuff breaking?
We don't get to look at source code before release of RHEL .. then we get the source code on git.centos.org.
We have no real idea of the exact build order, it is trial and error. Once we get rpms built, they go through some initial QA. Then we release them as CR. Goals for each are listed below.
During the normal lifetime of a point release, security updates normally become available 24-72 hours after Red Hat publishes the fixes - has that changed recently?
That is for normal updates after the point release is done before the next point release.
For a point release .. 7-14 days for CR and then 14-21 days for the official tree (after CR) has always been the goal.
Another issue with security updates is how long it sometimes takes for them to arrive in our SCL repositories. In one case, there was a delay of 4 months for PHP[1] and I also remember a critical fix for Python 3 taking several weeks. Couldn't we get some sort of notification on new commits in Red Hat's public repo?
SCLs are a SIG, not part of the Core SIG. The SIG would have to address that.
[1] https://www.redhat.com/archives/sclorg/2014-November/msg00008.html [2] https://www.redhat.com/archives/sclorg/2014-November/msg00005.html
The latest https://rhn.redhat.com/errata/RHSA-2016-2946.html which is a critical update for firefox released on the 14th is still not released for CentOS 7 after 2 days.
The original advisory[3] for Firefox 50.1 lists a few more CVEs than Red Hat's bulletin (the critical security fixes are backported by Mozilla in the ESR version "where feasible", which is why the Canonical Security Team decided to offer the normal Firefox releases in Ubuntu LTS, not the ESR ones). [4]
[3] https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/ [4] http://www.chriscoulson.me.uk/blog/?p=111
Best regards, Laurențiu _______________________________________________ CentOS-devel mailing list CentOS-devel@centos.org https://lists.centos.org/mailman/listinfo/centos-devel