On 01/21/2015 05:28 AM, Karanbir Singh wrote:
On 01/20/2015 05:55 AM, Somers-Harris, David | David | OPS wrote:
I just found out that the guys over at Fedora are publishing Errata for EPEL
https://dl.fedoraproject.org/pub/epel/6/x86_64/repodata/
Is anything stopping us from asking them how they are doing it and doing it the same way?
the question isnt 'how' its just a xml file, you can write it by hand if you wish. the question is what do we put inside it and how do we make sure what we put inside it is accurate.
Not the least of which is ... the CentOS team does not normally verify that a CVE is actually fixed. We build the RHEL Source code when they release it.
Red Hat tracks CVEs and fixes issues and puts out source code. They also provide assurance that a CVE is fixed, etc. The CentOS team builds what they release, but we does NOT provide any assurance that there was a issue or that it is fixed. We provide a link so that people can read for themselves the issues that Red Hat found and what Red Hat did to fix the issue and the code that we rebuilt.
What we don't do is make any claims that anything is fixed. Users need to test for the existence and/or mitigation of any issues when using CentOS Linux. If one wants quality assurance and a service level agreement that issues are researched and fixed, that is why RHEL costs money and it is the assurance that Red Hat provides.