On 16/12/16 13:12, Laurentiu Pancescu wrote:
I'm pretty new to CentOS: since only the last official release is supported, does this mean that users get no security updates at all during the time frame between Red Hat's official RHEL 7.3 release and the availability of our rebuild? Something like 15 days ideally, or 39 days in this particular instance? If this is true, perhaps we should enable the CR repo by default, at the risk of stuff breaking?
the CR repo will typically see content at point release time fairly quickly. Through the life of the release, security updates are released within 24 hrs. The avg time in the last 12 months has been less than 18 hrs or so.
the CR model is perhaps something we need to reconsider a bit - there is wider impact than just the distro; eg. the SIGs needed to line up content and we tried to work with the ci infra and the cbs infra to get something like a sync release out - and it didnt work out as planned. When we did not do this last time, we also had impact - just that this time it was different. And we should have that conversation, build the model and the automation required around it - and get better next time.
The 15 day point is for the distro content turnaround. To me, that means any existing user should be able to yum update to the new content - not always mapping to the ISO media itself.
During the normal lifetime of a point release, security updates normally become available 24-72 hours after Red Hat publishes the fixes - has that changed recently?
Its only gotten better.
Another issue with security updates is how long it sometimes takes for them to arrive in our SCL repositories. In one case, there was a delay of 4 months for PHP[1] and I also remember a critical fix for Python 3 taking several weeks. Couldn't we get some sort of notification on new commits in Red Hat's public repo?
[1] https://www.redhat.com/archives/sclorg/2014-November/msg00008.html [2] https://www.redhat.com/archives/sclorg/2014-November/msg00005.html
This is really something to work with the SCLo SIG around, maybe we can do some automation and help with testing in someway to try and improve that delta ?
The latest https://rhn.redhat.com/errata/RHSA-2016-2946.html which is a critical update for firefox released on the 14th is still not released for CentOS 7 after 2 days.
The original advisory[3] for Firefox 50.1 lists a few more CVEs than Red Hat's bulletin (the critical security fixes are backported by Mozilla in the ESR version "where feasible", which is why the Canonical Security Team decided to offer the normal Firefox releases in Ubuntu LTS, not the ESR ones). [4]
[3] https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/ [4] http://www.chriscoulson.me.uk/blog/?p=111