On 12/24/2020 11:21 PM, Ljubomir Ljubojevic wrote:
On 12/23/20 11:43 PM, Gordon Messmer wrote:
It's pretty close, with one significant caveat: for (roughly) two months out of the year, CentOS doesn't get any updates at all, including security patches. For me, that's an awfully big risk. I would much rather get features on a regular basis than go without security patches for a month, twice per year.
Every CentOS user accepts this as part of the "free" offering. Anyone that has problem with this gap has bought RHEL subscription, as would have I if it was important enough for me.
But I would not have said there are no security for entire 2 months because CentOS devs have been pushing important security updates into CR repooitory for instance, if I remember correctly. But again, you are either OK with the wait or you buy RHEL subscription, that was the deal everyone accept.
It's also worth pointing out that in cases where we're known to be in a delay period (such as just after a point release) or where there's a critical CVE and neither RHEL nor the CentOS updates have dropped, it's not uncommon for a critical update to just be rolled internally.
Take the existing SRPM, apply patch, call it N-V-R.1+ test the fix, sign and insert into your private yum repo that you inevitably have. Done. When the upstream and/or vendor fix is released, it will silently upgrade in place over yours with the official version. Large CentOS installs have teams of Linux systems engineers capable of doing this if a relevant security fix needs to go out.
But this depends on having a predictable upstream, and a stable foundation on which to build on top of. I.e., coherent OS release management with /updates/ layered over it. CentOS CR/Stream does not have this, which is why it is not generally suitable for production use on actual, persistent boxes.
-jc