On 12/14/20 3:47 PM, Leroy Tennison wrote:
The whole issue of "support longevity" raises an issue I've been pondering, is 10-year support a good thing from a security perspective? At work we use Ubuntu LTS which has only a five year support cycle (you can pay for an extra five years) but, even with that, issues have arisen. Although they do security and bug fix updates, the package versions remain basically the same. So, if a package is on version 1.2.3, it remains 1.2.3 with bug fixes and security patches for the life of the distribution. Does Red Hat/CentOS do the same thing?
Yes. Nearly always. Exceptions are in release notes as "rebasing".
The reason I ask is I ran into an issue where OpenVPN was updated in a later release to support a more robust security architecture which wasn't available until I upgraded. A configuration change could have addressed a security weakness in the older version so that the issue wasn't one of a security patch.
This, in a nutshell, is why it is better for stability within a release, to back-port fixes. Yes, it takes a lot more effort by Red Hat to maintain software this way.
When you decide a package needs a significantly newer version, that's when you start looking at new releases of the OS.