[CentOS-devel] Missing security updates
ned at unixmail.co.uk
Fri Jul 23 10:52:59 UTC 2010
On 23/07/10 05:00, R P Herrold wrote:
> On Fri, 23 Jul 2010, Ned Slider wrote:
>>> Tough. Not me, thank you. This is a labor of love, and if
>>> you want commercial SLA's you'll have to buy them from me.
>>> Prices on request of a serious offer to purchase
>> I'm confused as to exactly what you are saying here. The CentOS Project
>> FAQ states:
>> Q. How long after redhat publishes a fix does it take for CentOS to
>> publish a fix?
>> A. Our goal is to have individual RPM packages available on the mirrors
>> within 72 hours of their release, and normally they are available within
>> 24 hours.
>> Are you implying that you will provide security updates
>> under a paid SLA agreement but not to the wider CentOS
> Stop being coy and a trolling Bozo -- Of course I do, and have
> for many many years, long predating CentOS -- if you are
> unaware of that you have not thought through the timing and
> the history
Then let me be a little less coy and and put some substance around my
I started this thread, entitled "Missing security updates", because the
CentOS documentation indicates that it is the Project's goal to provide
updates within 1-3 days (notwithstanding we all appreciate this is a
voluntary effort conducted in peoples free time). I and others have
filed bug reports as requested about such missing updates once the
indicated time period has elapsed. People currently expect updates
within 72 hours, and normally within 24 hours, not because they are
greedy leechers who simply take from your wonderful FOSS project, but
because you have created that expectation within your own documentation.
My question to you arises from the fact that when I and others have
again raised the issue, your reply which I quoted above appears to be in
direct contradiction to the perceived current position. To my reading,
you imply you don't care about the timeliness of updates and that if one
does care about such things then one should purchase an SLA agreement
from your private consulting company. And it was sent from an
@centos.org address. Now that's fine, just that it's in contradiction to
what most people currently perceive to be the case and as is stated on
the CentOS website, hence why I seek clarification. I'm sorry if you
feel that is coy or trolling. I'm asking a simple question - please
clarify the policy on security updates. If the answer is we don't care,
that's also fine but lets update the website FAQ/documentation to
reflect that position. If the position remains as stated on the website
then your response quoted above to my thread is inaccurate, impolite and
confusing an important issue which requires clarity.
I ask because it's important to me. I know it's important to others too.
I suspect it's important to many others.
It's *not* important to me because I *need* CentOS security updates
quickly - I don't. As I and others have been told many times before, I
have Red Hat entitlements where needed, and I can and do build my own
security updates for those machines not covered by RHEL licences. It's
important to me because I want to see the CentOS project succeed and I
care about the millions of unprotected CentOS servers on the Internet
that are missing security updates at any given time. It hurts the
reputation of the project, it affects the (online) neighbourhood I live
in; so I care deeply.
It's immensely frustrating when we see that security updates are
missing, we get publicly berated for asking when we might expect them to
be delivered, we get told the issue doesn't exist unless a bug is filed,
bugs get filed that go unanswered and unacknowledged. Inevitably every
few months it comes to a head in a thread like this and the response is
CentOS developers becoming defensive (or even offensive) to those that
ask. All it really takes it a little communication. The only people that
have really communicated anything useful in this whole thread is Tru who
has held his hands up and said he's been busy with real life (thanks Tru
- much appreciated and we all understand that), and Karan who as
informed us he is doing his best to cover for Tru but acknowledges that
by his own very high standards that he isn't currently doing as good a
job as he might have hoped. Again, we understand that, that's fine and
all we have any right to expect. Is it really so difficult to
communicate that on a regular basis? These things all stem from not
knowing/a lack of information.
> * shrug *
> But, not under a CentOS signing key.
The rest of your posting is largely irrelevant to this thread and the
issue of missing CentOS updates IMHO.
More information about the CentOS-devel