[CentOS-devel] Missing security updates

Thu Jul 22 21:09:40 UTC 2010
Jeff Johnson <n3npq at mac.com>

On Jul 22, 2010, at 4:49 PM, Charlie Brady wrote:

> You apparently know exactly what they do, via some combination of 
> intuition, personal experience and gossip collected at conferences. But 
> that doesn't make it an open process, and doesn't make it well known.

Well that also doesn't make it a closed process (other than I haven't bothered
to implant an http intracranially).

In fact you asked a question and I tried to provide some reasonable answers.

But what -- in fact -- are you asking for?

You want which of the following:
	a) instant release of @redhat.com "security" releases through CentOS?
	b) a documented process flow for what is involved with a "security" release
	c) a reliable ETA for CentOS security xies
	d) the ability to participate in CentOS testing
	e) more community involvement in CentOS
	f) a whole different distro management team, or even a whole different distro
	g) something else ... ?

>>>> There's nothing stopping anyone from grabbing the sausages in the 
>>>> "security release", building, installing, testing, and reporting 
>>>> "worksforme" to assist in expediting a "security release".
>>> I'm not sure how that would help. We already know that Red Hat have built 
>>> and presumably tested these packages. If I say that I've built and tested 
>>> them, does that churn them through the CentOS process any quicker? Does  
>>> it add any assurance to the packages *as built by CentOS*?
>> And again there's the assumption that there's nothing to do because the
>> release process is just cookie cutter gear turning.
> There's no such assumption. My assertion is that me building something on 
> my dev system does nothing to accellerate the production of binaries by 
> CentOS.

Apologies for not carefully reading. My guesstimate (fwiw) is that
assistance rebuilding packages, with credible (as in at least summarize
what you did) WORKSFORME, particularly on odd-ball corener cases like z390
and or ppc, will not only help expedite a CentOS security release,
but also earn you (at a bare minimum) a thank you! from CentOS developers.

I'm quite sure that someone will correct any detail that I have mis-guessed
(based solely on my personaly/private/closed experiences).

>> The reality is quite different in my experience (but second-hand, I've
>> never personally experienced the CentOS "security" release process).
> The key questions, Jeff, are whether the process can be improved, and if 
> so, how? Statements about how complex the process is or might be don't 
> help. Neither do suggestions that we all go home and do it ourselves.

I hardly said "Go home and do it yourself" by any stretch of the imagination.

All processes can be improved. You started this thread by claiming not to
know the process. Figger the CentOS process, and you will know how it can be

And the process (generally) for "security" releases is not that hard to
learn. The CentOS process is no different.

73 de Jeff