On Fri, 2021-02-26 at 09:02 +0000, redbaronbrowser via CentOS-devel wrote:
Given Red Hat policy of withholding security updates from Stream
This is a fundamental misstatement of the workflow.
For EMBARGOED security errata, RHEL will be getting the fix ahead of Stream.
Stream is built in the open where anyone can see what is built, any patches, and changelogs. If an embargoed update is built in stream before the announcement date, the embargo is violated.
RHEL is built in private. They can build the embargoed update whenever they want, stage it for release, and maintain the privacy of the CVE.
This means there is a certainty that EMBARGOED updates will get into RHEL first.
This gets more complex if the stream package is ahead of the RHEL update. If the stream and RHEL packages are identical, the source code sync process will automatically get the update built and published.
If the stream package is ahead of the RHEL package, then the patch will need to be ported over. This will take some time and be done in public. It may take minutes or hours.
If you've a way to improve this workflow while honoring the commitments to embargoes and build transparency, I'm certain it would be well received.
Pat