Hi all,
I'm in the process of moving all of my RHEL systems over to CentOS but the argument that fires back at me is for critical vulnerabilities for items such as zero-day exploits and such.
From what I've been reading, RHEL releases critical patches much quicker
than CentOS which makes sense since CentOS is simply a copy and when changes occur they propagate down to the RHEL clones. My question is what kind of time frame are we looking at when a vulnerability (critical or high) is announced and a patch has been released for RHEL does it get implemented into CentOS?
Thanks! Chris
On Tuesday 07 May 2013, "Bidwell, Christopher" cbidwell@usgs.gov wrote:
My question is what kind of time frame are we looking at when a vulnerability (critical or high) is announced and a patch has been released for RHEL does it get implemented into CentOS?
From the FAQ, http://wiki.centos.org/FAQ/General:
- How long after Red Hat publishes a fix does it take for CentOS to
publish a fix?
Our goal is to have individual RPM packages available on the mirrors within 72 hours of their release, and normally they are available within 24 hours. Occasionally packages are delayed for various reasons. On rare occasions packages may be built and pushed to the mirrors but not available via yum. (This is because yum-arch has not been run on the master mirror. This may happen when issues with upstream packages are discovered shortly after their release, and if releasing the package would break it's functionality.)
Thanks for that quick response! I guess I should have looked closer through the wiki. Much appreciated!
On Tue, May 7, 2013 at 3:18 PM, Yves Bellefeuille yan@storm.ca wrote:
On Tuesday 07 May 2013, "Bidwell, Christopher" cbidwell@usgs.gov wrote:
My question is what kind of time frame are we looking at when a vulnerability (critical or high) is announced and a patch has been released for RHEL does it get implemented into CentOS?
From the FAQ, http://wiki.centos.org/FAQ/General:
- How long after Red Hat publishes a fix does it take for CentOS to
publish a fix?
Our goal is to have individual RPM packages available on the mirrors within 72 hours of their release, and normally they are available within 24 hours. Occasionally packages are delayed for various reasons. On rare occasions packages may be built and pushed to the mirrors but not available via yum. (This is because yum-arch has not been run on the master mirror. This may happen when issues with upstream packages are discovered shortly after their release, and if releasing the package would break it's functionality.)
-- Yves Bellefeuille yan@storm.ca Mekaro en Otavo, Kanado, 18-20 majo 2013: http://mekaro.ca/
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Bidwell, Christopher wrote:
Thanks for that quick response! I guess I should have looked closer through the wiki. Much appreciated!
Please don't top post.
One suggestion: if you have a number of systems, buy at least one RHEL license - that way, you can ask for enhancements, bugfixes, and such from them.
That's how we got US gov't PIV card support from them. Most of our systems are CentOS, though....
mark
On Tue, May 7, 2013 at 3:18 PM, Yves Bellefeuille yan@storm.ca wrote:
On Tuesday 07 May 2013, "Bidwell, Christopher" cbidwell@usgs.gov wrote:
My question is what kind of time frame are we looking at when a vulnerability (critical or high) is announced and a patch has been released for RHEL does it get implemented into CentOS?
From the FAQ, http://wiki.centos.org/FAQ/General:
- How long after Red Hat publishes a fix does it take for CentOS to
publish a fix?
Our goal is to have individual RPM packages available on the mirrors within 72 hours of their release, and normally they are available within 24 hours. Occasionally packages are delayed for various reasons. On rare occasions packages may be built and pushed to the mirrors but not available via yum. (This is because yum-arch has not been run on the master mirror. This may happen when issues with upstream packages are discovered shortly after their release, and if releasing the package would break it's functionality.)
-- Yves Bellefeuille yan@storm.ca Mekaro en Otavo, Kanado, 18-20 majo 2013: http://mekaro.ca/
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
--
Chris Bidwell, CEH, CPT, RHCSA Red Hat Linux Administrator National Earthquake Information Center US Geological Survey email: cbidwell@usgs.gov work: 303-273-8642 mobile: 303-435-6362 _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-----Original Message----- From: Bidwell, Christopher Sent: Tuesday, May 07, 2013 17:12
Hi all,
I'm in the process of moving all of my RHEL systems over to
Why all? Lets keep that question in the back of our minds.
CentOS but the argument that fires back at me is for critical vulnerabilities for items such as zero-day exploits and such.
From what I've been reading, RHEL releases critical patches much quicker
If zero day patches are important to maintain your accredidation on your systems then you need to have a support plan. That plan can either be a commercial services provider, vendor support contract (RHEL), or an in house team to support the system.
Using a service provider other than RedHat is kind of silly since purchasing from RedHat support CentOS.
Staying with RHEL is a non-change.
Having an in house support team will be much more expensive as you will have to have staff for each of the packages on the system.
than CentOS which makes sense since CentOS is simply a copy and when changes occur they propagate down to the RHEL clones. My question is what kind of time frame are we looking at when a vulnerability (critical or high) is announced and a patch has been released for RHEL does it get implemented into CentOS?
It has always been fast enough for us, but if it were not, we would help by providing patches to the SRPM to CentoOS development team.
For offical specifics, contact me off list.
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
-
Bidwell, Christopher -
Jason Pyeron -
m.roth@5-cent.us -
Yves Bellefeuille