On Tuesday 11 August 2009 23:25:23 Ian Murray wrote:
I am troubled by the window of opportunity that a hacker has between RH releasing a point release and CentOS releasing the equivalent. Every RH published errata for that stream is a known weakness to your system and there is not a sausage you can do about it until the CentOS project delivers the point release. The quicker it is, the less of a problem, but the slower it is, the more exposed you are. CentOS have not exactly been knocking out the updates very quickly.
Having asked the question on the SL list, I've been informed that they release interim security errata and build all dependencies. They freely admit that doesn't always work and somethings do get missed, especially immediately after RH does a point release. However, as was also pointed out, you have the choice to take the updates or not, so you are never worse off than you are with CentOS, in that respect at least.
Why don't you go with the SL or even pay RH, if you are that concerned about hacking attempts? It seems clear that CentOS is not a good distro for you if you are not satisfied with its update schedule. I believe it is better to make a different choice of distro, than to ask for substantial changes in the current one, especially if other people should do that extra work for you.
And please don't tell me that SL has other flaws. If security is your first and most important concern, the best thing is to buy RH, it is definitely worth it. If you cannot invest money, go with SL, they have faster updates. If things break, well, at least you didn't get hacked. You should evaluate what is best for your situation and go with it, not ask CentOS to be both rock-solid and fast with updates at the same time.
HTH, :-) Marko