Hello,
I originally asked on the centos mailing list when CentOS will publish errata like Red Hat does for RHEL. It has since turned into a discussion which seems more fit for the centos-devel list, so I'm moving it here now. Here is the last post on the centos list: http://lists.centos.org/pipermail/centos/2015-January/149122.html
The current problem which needs to be tackled is where to get the data from.
It has been suggested that getting the data from Red Hat's emails would not be a breach of Red Hat's ToU. Can anybody confirm this?
If this is the case, then we can just subscribe a bot to the emails and generate the data from that and put it in updateinfo.xml.
Thanks, David
On Wed, Jan 14, 2015 at 01:49:00AM +0000, Somers-Harris, David | David | OPS wrote:
It has been suggested that getting the data from Red Hat's emails would not be a breach of Red Hat's ToU. Can anybody confirm this?
Your corporate counsel.
Asking for legal opinion on a mailing list is bound to end poorly.
John
Your corporate counsel. Asking for legal opinion on a mailing list is bound to end poorly.
Thanks John. It appears that the legal issue is what has everybody's hands tied.
What is the best way to verify legal issues? Is there a more appropriate place or person I can bring this to so that we can move forward with the technical part?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 14.01.2015 04:20, Somers-Harris, David | David | OPS wrote:
What is the best way to verify legal issues? Is there a more appropriate place or person I can bring this to so that we can move forward with the technical part?
you could maybe ask the fedora legal mailing list.
ironically (afaik) these people are mostly red hat lawyers :D
HTH
Sven
I just found out that the guys over at Fedora are publishing Errata for EPEL
https://dl.fedoraproject.org/pub/epel/6/x86_64/repodata/
Is anything stopping us from asking them how they are doing it and doing it the same way?
On Tue, Jan 20, 2015 at 12:55 AM, Somers-Harris, David | David | OPS < david.somers-harris@mail.rakuten.com> wrote:
Is anything stopping us from asking them how they are doing it and doing it the same way?
There's nothing stopping us, but the Fedora Project's build system is what generates the EPEL packages, so I'd assume that it's part of their build infrastructure. They're the authors of the Errata metadata.
On 01/20/2015 05:55 AM, Somers-Harris, David | David | OPS wrote:
I just found out that the guys over at Fedora are publishing Errata for EPEL
https://dl.fedoraproject.org/pub/epel/6/x86_64/repodata/
Is anything stopping us from asking them how they are doing it and doing it the same way?
the question isnt 'how' its just a xml file, you can write it by hand if you wish. the question is what do we put inside it and how do we make sure what we put inside it is accurate.
On 01/21/2015 05:28 AM, Karanbir Singh wrote:
On 01/20/2015 05:55 AM, Somers-Harris, David | David | OPS wrote:
I just found out that the guys over at Fedora are publishing Errata for EPEL
https://dl.fedoraproject.org/pub/epel/6/x86_64/repodata/
Is anything stopping us from asking them how they are doing it and doing it the same way?
the question isnt 'how' its just a xml file, you can write it by hand if you wish. the question is what do we put inside it and how do we make sure what we put inside it is accurate.
Not the least of which is ... the CentOS team does not normally verify that a CVE is actually fixed. We build the RHEL Source code when they release it.
Red Hat tracks CVEs and fixes issues and puts out source code. They also provide assurance that a CVE is fixed, etc. The CentOS team builds what they release, but we does NOT provide any assurance that there was a issue or that it is fixed. We provide a link so that people can read for themselves the issues that Red Hat found and what Red Hat did to fix the issue and the code that we rebuilt.
What we don't do is make any claims that anything is fixed. Users need to test for the existence and/or mitigation of any issues when using CentOS Linux. If one wants quality assurance and a service level agreement that issues are researched and fixed, that is why RHEL costs money and it is the assurance that Red Hat provides.
On Wed, Jan 21, 2015 at 6:28 AM, Karanbir Singh mail-lists@karan.org wrote:
the question isnt 'how' its just a xml file, you can write it by hand if you wish. the question is what do we put inside it and how do we make sure what we put inside it is accurate.
Why not do a minimal version that simply includes the information from the centos-announce mailing list and no external data? There are a few other errata fields that can simply be filled in with "not available". This minimal solution is nearly there using existing open source scripts tied together.
People are effectively doing a version of this today if they are using CEFS without OVAL data or if they are using one of the many centos-announce mailing list errata scraping tools without RHN or OVAL data. That means this usage is important to at least some portion of the community.
The result will be a bare bones updateinfo.xml but it would still be useful to many.
Community members who need CVE fix assurances or detailed errata should be paying Red Hat for proper support anyway.
Regards, --Tony Coffman
On 01/21/2015 10:06 AM, Tony Coffman wrote:
On Wed, Jan 21, 2015 at 6:28 AM, Karanbir Singh mail-lists@karan.org wrote:
the question isnt 'how' its just a xml file, you can write it by hand if you wish. the question is what do we put inside it and how do we make sure what we put inside it is accurate.
Why not do a minimal version that simply includes the information from the centos-announce mailing list and no external data? There are a few other errata fields that can simply be filled in with "not available". This minimal solution is nearly there using existing open source scripts tied together.
If someone from the community would be willing to script something up for this we can take a look at it. I've been toying with the idea of adding an rss feed to www.centos.org for the repositories in place of updateinfo, mostly since Johnny is quite correct, we don't validate cve closure, so providing that info as if we do seems a bit wrong.
People are effectively doing a version of this today if they are using CEFS without OVAL data or if they are using one of the many centos-announce mailing list errata scraping tools without RHN or OVAL data. That means this usage is important to at least some portion of the community.
The result will be a bare bones updateinfo.xml but it would still be useful to many.
Community members who need CVE fix assurances or detailed errata should be paying Red Hat for proper support anyway.
Agreed.
On 01/21/2015 05:41 PM, Jim Perrin wrote:
On 01/21/2015 10:06 AM, Tony Coffman wrote:
On Wed, Jan 21, 2015 at 6:28 AM, Karanbir Singh mail-lists@karan.org wrote:
the question isnt 'how' its just a xml file, you can write it by hand if you wish. the question is what do we put inside it and how do we make sure what we put inside it is accurate.
Why not do a minimal version that simply includes the information from the centos-announce mailing list and no external data? There are a few other errata fields that can simply be filled in with "not available". This minimal solution is nearly there using existing open source scripts tied together.
If someone from the community would be willing to script something up for this we can take a look at it. I've been toying with the idea of adding an rss feed to www.centos.org for the repositories in place of updateinfo, mostly since Johnny is quite correct, we don't validate cve closure, so providing that info as if we do seems a bit wrong.
would just repo-rss work for that rss feed on www.centos.org ?
People are effectively doing a version of this today if they are using CEFS without OVAL data or if they are using one of the many centos-announce mailing list errata scraping tools without RHN or OVAL data. That means this usage is important to at least some portion of the community.
The result will be a bare bones updateinfo.xml but it would still be useful to many.
Community members who need CVE fix assurances or detailed errata should be paying Red Hat for proper support anyway.
Agreed.
On 01/21/2015 04:22 PM, Karanbir Singh wrote:
On 01/21/2015 05:41 PM, Jim Perrin wrote:
On 01/21/2015 10:06 AM, Tony Coffman wrote:
On Wed, Jan 21, 2015 at 6:28 AM, Karanbir Singh mail-lists@karan.org wrote:
the question isnt 'how' its just a xml file, you can write it by hand if you wish. the question is what do we put inside it and how do we make sure what we put inside it is accurate.
Why not do a minimal version that simply includes the information from the centos-announce mailing list and no external data? There are a few other errata fields that can simply be filled in with "not available". This minimal solution is nearly there using existing open source scripts tied together.
If someone from the community would be willing to script something up for this we can take a look at it. I've been toying with the idea of adding an rss feed to www.centos.org for the repositories in place of updateinfo, mostly since Johnny is quite correct, we don't validate cve closure, so providing that info as if we do seems a bit wrong.
would just repo-rss work for that rss feed on www.centos.org ?
That was what I was thinking, yeah.
People are effectively doing a version of this today if they are using CEFS without OVAL data or if they are using one of the many centos-announce mailing list errata scraping tools without RHN or OVAL data. That means this usage is important to at least some portion of the community.
The result will be a bare bones updateinfo.xml but it would still be useful to many.
Community members who need CVE fix assurances or detailed errata should be paying Red Hat for proper support anyway.
Agreed.
On 01/14/2015 01:49 AM, Somers-Harris, David | David | OPS wrote:
Hello,
I originally asked on the centos mailing list when CentOS will publish errata like Red Hat does for RHEL.
It has since turned into a discussion which seems more fit for the centos-devel list, so I’m moving it here now.
Here is the last post on the centos list: http://lists.centos.org/pipermail/centos/2015-January/149122.html
The current problem which needs to be tackled is where to get the data from.
and once the data exists then to validate it.
On 01/13/2015 07:49 PM, Somers-Harris, David | David | OPS wrote:
Hello,
I originally asked on the centos mailing list when CentOS will publish errata like Red Hat does for RHEL.
It has since turned into a discussion which seems more fit for the centos-devel list, so I’m moving it here now.
Here is the last post on the centos list: http://lists.centos.org/pipermail/centos/2015-January/149122.html
The current problem which needs to be tackled is where to get the data from.
It has been suggested that getting the data from Red Hat’s emails would not be a breach of Red Hat’s ToU.
Can anybody confirm this?
If this is the case, then we can just subscribe a bot to the emails and generate the data from that and put it in updateinfo.xml.
They only do emails for Security updates, not bugfix or enhancement updates.
Look at the oval data, that might have all the info required:
http://www.redhat.com/security/data/oval/
But, I think that is also ONLY RHSA data and not bugfix or enhancement info.
-
Jim Perrin -
John R. Dennison -
Johnny Hughes -
Jonathan Billings -
Karanbir Singh -
Somers-Harris, David | David | OPS -
Sven Kieske -
Tony Coffman