Hi,
I have been a happy user of CentOS 7 in the past. I am now considering switching to CentOS 8.
However, since end of Oct. 2019, I have not received any updates on my CentOS 8 test installations. Since then, RHEL 8 has published several critical security updates.
Obviously, this make the use of CentOS 8 in production dangerous.
I guess the missing updates have to to with RHEL version 8.1, which is not yet available for CentOS.
Basically, I would like to ask how the CentOS team sees the state of CentOS 8. Is the current version only intended for testing/evaluation? When does the CentOS team consider CentOS ready for production use? Is there any public documentation on this matter?
Thank you, best wishes and happy holidays,
Michael
Am 22.12.19 um 21:31 schrieb Michael Kofler:
Hi,
I have been a happy user of CentOS 7 in the past. I am now considering switching to CentOS 8.
However, since end of Oct. 2019, I have not received any updates on my CentOS 8 test installations. Since then, RHEL 8 has published several critical security updates.
Obviously, this make the use of CentOS 8 in production dangerous.
I guess the missing updates have to to with RHEL version 8.1, which is not yet available for CentOS.
Basically, I would like to ask how the CentOS team sees the state of CentOS 8. Is the current version only intended for testing/evaluation? When does the CentOS team consider CentOS ready for production use? Is there any public documentation on this matter?
Here you can find information that explains why there is gap between RH and CentOS releases. Basically its not intentionally but just hard work:
https://wiki.centos.org/About/Building_8
https://wiki.centos.org/About/Building_8.x
-- Leon
On 23/12/2019 12:07 pm, Leon Fauster via CentOS wrote:
Am 22.12.19 um 21:31 schrieb Michael Kofler:
Hi,
I have been a happy user of CentOS 7 in the past. I am now considering switching to CentOS 8.
However, since end of Oct. 2019, I have not received any updates on my CentOS 8 test installations. Since then, RHEL 8 has published several critical security updates.
Obviously, this make the use of CentOS 8 in production dangerous.
I guess the missing updates have to to with RHEL version 8.1, which is not yet available for CentOS.
Basically, I would like to ask how the CentOS team sees the state of CentOS 8. Is the current version only intended for testing/evaluation? When does the CentOS team consider CentOS ready for production use? Is there any public documentation on this matter?
Here you can find information that explains why there is gap between RH and CentOS releases. Basically its not intentionally but just hard work:
This misses the point of where are the intermediate updates to 8.0 ? or can we only get point releases with no updates in between?
On Sun, Dec 22, 2019 at 5:30 PM Bill Maidment bill@maidment.me wrote:
This misses the point of where are the intermediate updates to 8.0 ? or can we only get point releases with no updates in between?
8.0 has to be updated to 8.1 to get any future updates. apparently 8.1 came out in early November before CentOS was able to get the update pipeline moving, so incremental updates will resume after 8.1 is released, which should be pretty soon now based on the schedule on that 8.x page above.
On Sun, Dec 22, 2019 at 5:30 PM Bill Maidment bill@maidment.me wrote:
This misses the point of where are the intermediate updates to 8.0 ? or can we only get point releases with no updates in between?
You may want to watch the "CR work" on that wiki page.
What is the CR repo?
https://wiki.centos.org/AdditionalResources/Repositories/CR
Akemi
Le 23/12/2019 à 02:48, Akemi Yagi a écrit :
You may want to watch the "CR work" on that wiki page.
CR seems to be empty right now.
On Dec 23, 2019, at 07:32, Pete Biggs pete@biggs.org.uk wrote:
On Mon, 2019-12-23 at 09:16 +0100, Nicolas Kovacs wrote:
Le 23/12/2019 à 02:48, Akemi Yagi a écrit : You may want to watch the "CR work" on that wiki page.
CR seems to be empty right now.
I thought that was the role of 8-stream now?
No. 8-stream is where packages will (eventually) be available to test software that’ll be part of the next point release of RHEL. So, for example, before RHEL 8.1 was released, 8-stream had kernel packages with a version-release close to what was eventually released in RHEL 8.1, and eventually into CentOS 8.1.xxxx.
-- Jonathan Billings billings@negate.org
Le 23/12/2019 à 23:01, Jonathan Billings a écrit :
No. 8-stream is where packages will (eventually) be available to test software that’ll be part of the next point release of RHEL. So, for example, before RHEL 8.1 was released, 8-stream had kernel packages with a version-release close to what was eventually released in RHEL 8.1, and eventually into CentOS 8.1.xxxx.
In short and to sum it up, CentOS 8 in its current state has some unpatched vulnerabilities. They have been adressed in RHEL since October, but not in CentOS.
It's fair to say this raises a few eyebrows among concerned CentOS users.
Cheers,
Niki
On Tue, Dec 24, 2019 at 10:19 AM Nicolas Kovacs info@microlinux.fr wrote:
Le 23/12/2019 à 23:01, Jonathan Billings a écrit :
No. 8-stream is where packages will (eventually) be available to test
software that’ll be part of the next point release of RHEL. So, for example, before RHEL 8.1 was released, 8-stream had kernel packages with a version-release close to what was eventually released in RHEL 8.1, and eventually into CentOS 8.1.xxxx.
In short and to sum it up, CentOS 8 in its current state has some unpatched vulnerabilities. They have been adressed in RHEL since October, but not in CentOS.
It's fair to say this raises a few eyebrows among concerned CentOS users.
Cheers,
Niki
-- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32 Mob. : 06 51 80 12 12 _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
I don't know whether the below steps are permitted. but, you can install RHEL 8.1 Developer Edition on a VM. Download the SRPM for your package. Then rebuild on the CentOS machine and install the RPM. This is just for the important fixes like security.
thanks
--- Thomas Stephen Lee
Le 24/12/2019 à 08:03, Thomas Stephen Lee a écrit :
I don't know whether the below steps are permitted. but, you can install RHEL 8.1 Developer Edition on a VM. Download the SRPM for your package. Then rebuild on the CentOS machine and install the RPM. This is just for the important fixes like security.
That's missing the point.
While it's perfectly understandable that there's always a certain lag between upstream RHEL and CentOS, seven weeks without security updates is a serious showstopper for production use.
There's a difference between "use upstream Red Hat if you badly need those critical updates" and "don't use CentOS on your production servers".
Cheers & merry Christmas from blocked Paris on strike
:o)
Niki
On Tue, Dec 24, 2019 at 12:57 AM Nicolas Kovacs info@microlinux.fr wrote:
That's missing the point.
While it's perfectly understandable that there's always a certain lag between upstream RHEL and CentOS, seven weeks without security updates is a serious showstopper for production use.
There's a difference between "use upstream Red Hat if you badly need those critical updates" and "don't use CentOS on your production servers".
on the other hand, 99% of those security updates are things that probably don't affect most centos deployments.
Il 24-12-2019 11:30 John Pierce ha scritto:
on the other hand, 99% of those security updates are things that probably don't affect most centos deployments.
It does not only affect security, but also *functional* updates.
For an example of a quite important, but not fixed bug in current CentOS 8: https://bugzilla.redhat.com/show_bug.cgi?id=1680481 Long story short: currently, CentOS 8 is not usable as webmail server with classical httpd+prefork+mod_php (due to httpd crashing loop).
Looking forward for CentOS 8.1! Thanks.
Am 24.12.19 um 16:06 schrieb Gionatan Danti:
Il 24-12-2019 11:30 John Pierce ha scritto:
on the other hand, 99% of those security updates are things that probably don't affect most centos deployments.
It does not only affect security, but also *functional* updates.
For an example of a quite important, but not fixed bug in current CentOS 8: https://bugzilla.redhat.com/show_bug.cgi?id=1680481 Long story short: currently, CentOS 8 is not usable as webmail server with classical httpd+prefork+mod_php (due to httpd crashing loop).
The default and for performance and less mem resources reasons is mpm_event handler and php via fpm ... did you tried?
-- Leon
Am 24.12.19 um 11:30 schrieb John Pierce:
On Tue, Dec 24, 2019 at 12:57 AM Nicolas Kovacs info@microlinux.fr wrote:
That's missing the point.
While it's perfectly understandable that there's always a certain lag between upstream RHEL and CentOS, seven weeks without security updates is a serious showstopper for production use.
There's a difference between "use upstream Red Hat if you badly need those critical updates" and "don't use CentOS on your production servers".
on the other hand, 99% of those security updates are things that probably don't affect most centos deployments.
BTW, also RH has a gap to the individual upstream projects. So, define the requirements and make a choice ...
-- Leon
On Dec 22, 2019, at 7:07 PM, Leon Fauster via CentOS centos@centos.org wrote:
Am 22.12.19 um 21:31 schrieb Michael Kofler:
Hi, I have been a happy user of CentOS 7 in the past. I am now considering switching to CentOS 8. However, since end of Oct. 2019, I have not received any updates on my CentOS 8 test installations. Since then, RHEL 8 has published several critical security updates. Obviously, this make the use of CentOS 8 in production dangerous. I guess the missing updates have to to with RHEL version 8.1, which is not yet available for CentOS. Basically, I would like to ask how the CentOS team sees the state of CentOS 8. Is the current version only intended for testing/evaluation? When does the CentOS team consider CentOS ready for production use? Is there any public documentation on this matter?
Here you can find information that explains why there is gap between RH and CentOS releases. Basically its not intentionally but just hard work:
And thanks for all hard work from us, users!
Valeri
-- Leon
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Le 23/12/2019 à 02:07, Leon Fauster via CentOS a écrit :
Here you can find information that explains why there is gap between RH and CentOS releases. Basically its not intentionally but just hard work:
While we're all aware that there will always be a gap between RHEL and CentOS, I guess what motivated the author's post initially (who by the way is an acclaimed Linux author and I can only speak very highly of his competence) is the fact that a two-month lag for important security updates is more than just a gap.
It seems like it boils down to: have these been ported to the Continuous Release repository?
Cheers,
Niki
-
Akemi Yagi -
Bill Maidment -
Gionatan Danti -
John Pierce -
Jonathan Billings -
Lamar Owen -
Leon Fauster -
Michael Kofler -
Nicolas Kovacs -
Pete Biggs -
Thomas Stephen Lee -
Valeri Galtsev