[CentOS-devel] Missing security updates

Thu Jul 22 20:49:05 UTC 2010
Charlie Brady <charlieb-centos-devel at budge.apana.org.au>

On Thu, 22 Jul 2010, Jeff Johnson wrote:

> On Jul 22, 2010, at 4:26 PM, Charlie Brady wrote:
> > On Thu, 22 Jul 2010, Jeff Johnson wrote:
> > 
> >> What exactly is "closed" about the process? Sausages from the 
> >> @redhat.com factory arrive on lthe CentOS oading dock, are examined, 
> >> tallied, listed, stamped, processed, and re-distributed. The entire 
> >> process for CentOS release engineering is easily seen, been the same 
> >> since forever.
> > 
> > Do you have any references for the "examined, tallied, listed, stamped" 
> > part of these processes? I was unaware that there was any external 
> > visibility on these internal CentOS processes. There's nothing here, for 
> > instance:
> > 
> > http://bugs.centos.org/view.php?id=4386
> > 
> > Is the information available elsewhere?
> All I have is 7 years of experience doing 14+ RHL releases and
> years of meetups with most of the CentOS team @FOSDEM.
> So no, I can't give a URI to a documented, formal, typeset, wiki
> or web-page for what is involved.
> Feel free to try the process yourself and see what is involved.
> The entire process is quite simple to understand even if tedious.

Whatever process I would create if I were doing this is irrelevant. What 
the CentOS developers actually do and don't do is what is relevant.

You apparently know exactly what they do, via some combination of 
intuition, personal experience and gossip collected at conferences. But 
that doesn't make it an open process, and doesn't make it well known.

> >> There's nothing stopping anyone from grabbing the sausages in the 
> >> "security release", building, installing, testing, and reporting 
> >> "worksforme" to assist in expediting a "security release".
> > 
> > I'm not sure how that would help. We already know that Red Hat have built 
> > and presumably tested these packages. If I say that I've built and tested 
> > them, does that churn them through the CentOS process any quicker? Does  
> > it add any assurance to the packages *as built by CentOS*?
> And again there's the assumption that there's nothing to do because the
> release process is just cookie cutter gear turning.

There's no such assumption. My assertion is that me building something on 
my dev system does nothing to accellerate the production of binaries by 

> The reality is quite different in my experience (but second-hand, I've
> never personally experienced the CentOS "security" release process).

The key questions, Jeff, are whether the process can be improved, and if 
so, how? Statements about how complex the process is or might be don't 
help. Neither do suggestions that we all go home and do it ourselves.