I am troubled by the window of opportunity that a hacker has between RH releasing a point release and CentOS releasing the equivalent. Every RH published errata for that stream is a known weakness to your system and there is not a sausage you can do about it until the CentOS project delivers the point release. The quicker it is, the less of a problem, but the slower it is, the more exposed you are. CentOS have not exactly been knocking out the updates very quickly.
Having asked the question on the SL list, I've been informed that they release interim security errata and build all dependencies. They freely admit that doesn't always work and somethings do get missed, especially immediately after RH does a point release. However, as was also pointed out, you have the choice to take the updates or not, so you are never worse off than you are with CentOS, in that respect at least.
________________________________ From: Ron Blizzard rb4centos@gmail.com To: CentOS mailing list centos@centos.org Sent: Tuesday, 11 August, 2009 22:06:05 Subject: Re: [CentOS] CentOS Project Infrastructure
On Tue, Aug 11, 2009 at 3:16 PM, Les Mikeselllesmikesell@gmail.com wrote:
Ian Murray wrote:
Part of my professional work is risk assessing system upgrades. I have been doing so long now that everything I professionally do is considered from a risk perspective. Maybe those of us that have to assess risk on a daily basis understand what I am on about and the ones that don't.... don't.
Exactly. I once built things on AT&T Unix and hardware. Nice big company with plenty of resources, dedicated, bright developers, a history of following through many releases, and then out of the blue it was gone. Dell was the next choice since it was pretty much the same code base as AT&T SysVr4 with some extra drivers. Then when Windows95 came out, Dell dropped it and pretended they'd never heard of unix. (I understood much later after reading their transcripts in the Microsoft antitrust case...) Then there was Red Hat which didn't really work at the time but had the redeeming features that bugs you reported sometimes got fixed and you didn't have to count licenses - and then that went away too. So yes, I'm paranoid. There aren't many survivors in this business. Hmmm, I left out an interesting interlude with BSDI in there somewhere but they were killed by a lawsuit.
I look at CentOS' track record. The foundation has consistently put out a good, solid distribution with regular updates. When that changes, then I'll worry.
But, as you've shown above, there are no absolute guarantees -- so, at some point you've got to go with your gut. Even if CentOS was shaky (which it's not) you still have Scientific Linux and Red Hat -- so it's not like you're putting all your eggs in one basket. From a "risk management" standpoint I think CentOS is a pretty good bet.