[CentOS-devel] Missing security updates

Fri Jul 23 04:00:31 UTC 2010
R P Herrold <herrold at owlriver.com>

On Fri, 23 Jul 2010, Ned Slider wrote:

>> Tough.  Not me, thank you.  This is a labor of love, and if
>> you want commercial SLA's you'll have to buy them from me.
>> Prices on request of a serious offer to purchase
>>   	http://www.owlriver.com/wings/

> I'm confused as to exactly what you are saying here. The CentOS Project
> FAQ states:
>
> Q. How long after redhat publishes a fix does it take for CentOS to
> publish a fix?
>
> A. Our goal is to have individual RPM packages available on the mirrors
> within 72 hours of their release, and normally they are available within
> 24 hours.
>
> https://www.centos.org/modules/smartfaq/faq.php?faqid=7

> Are you implying that you will provide security updates 
> under a paid SLA agreement but not to the wider CentOS 
> Community?

Stop being coy and a trolling Bozo -- Of course I do, and have 
for many many years, long predating CentOS -- if you are 
unaware of that you have not thought through the timing and 
the history

* shrug *

But, not under a CentOS signing key.  The web content at 
'wings' was written and updated long before RHEL ever existed, 
let alone CentOS.  Progeny and I have pretty conclusively 
demonstrated that there is (or at least was) not a sustainable 
market for enterprise distributions maintenance (and Jesse 
Keating later as to a 'all packages' backport of security 
fixes as to FL) as a standalone matter, but rather such sales 
of services and SLA's occur as a 'pull along' to other 
consultancy work

Obviously other vendors are equally free to compete in the 
marketplace for selling such against me, just as I compete 
with Red Hat ... just as CentOS very consciously does NOT sell 
SLA backed update promises

Under a contract with third parties and backed and signed by 
an Owl River key, I do and have provided and will continue to 
cross-builds of [in part] publicly released Red Hat's SRPMs in 
advance of matter CentOS may later issue, since long before 
CentOS or cAos existed.  I review a nightly mirroring report 
with 'diffs', and feed my personal buildsystems accordingly

My R side package module archive is several hundred large, 
covering essentially all of bioinformatics, finance, 
statistics and economics dependencies and all leaf nodes of 
merit for CRAN, RForge and Bioconductor.  By comparison, 
RawHide seems to have 64 with indifferent attention to 'MAKE 
CHECK' at build time matters.  The count is slightly high as 
this matches some non R content
 	 ls | grep ^R | wc

My most recent blog post series will conclude with a piece as 
to SRPM building and build environment [gawd, yet again], rpm 
keys and signing, local side archive building, adjunct yum 
repostitory setup, and Release number bumping to address the 
broken [as to spamassassin bleeding] perl-Tar-Net the upstream 
issued in the last couple of weeks.  All for free, free, free

Paying customers of PMman have access to binaries, and all 
sources in the build chain, for a later git, the latest 
milter-greylist, other stuff.  Some is similar to or based on 
parts from RPMforge, some to RawHide, and a lot is me doing 
dependency chain resolution, packaging, and content vetting to 
stablize such

[herrold at trap SRPMS]$ ls
diskcheck-1.6-3orc.src.rpm
fail2ban-0.8.1-11orc.src.rpm
fail2ban-0.8.1-12orc.src.rpm
fail2ban-0.8.4-24orc.src.rpm
git-1.6.5.2-1orc.src.rpm
incron-0.5.8-1orc.src.rpm
keystone-spamassassin-1.00-1orc.src.rpm
perl-Crypt-OpenSSL-Bignum-0.03-3orc.src.rpm
perl-Crypt-OpenSSL-Random-0.04-2orc.src.rpm
perl-Crypt-OpenSSL-RSA-0.25-10orc.src.rpm
perl-Devel-Symdump-2.07-5orc.src.rpm
perl-Digest-SHA-5.48-1orc.src.rpm
perl-Encode-Detect-1.01-1orc.src.rpm
perl-Error-0.17016-1orc.src.rpm
perl-ExtUtils-CBuilder-0.22-1.rf.src.rpm
perl-ExtUtils-ParseXS-2.15-1orc.src.rpm
perl-IP-Country-2.26-2orc.src.rpm
perl-Mail-DKIM-0.37-2orc.src.rpm
perl-Mail-DomainKeys-1.0-1.rf.src.rpm
perl-Mail-SPF-Query-1.999.1-3orc.src.rpm
perl-Mail-SPF-v2.007-1orc.src.rpm
perl-Mail-SRS-0.31-1.rf.src.rpm
perl-Module-Build-0.2806-2.rf.src.rpm
perl-Module-Signature-0.55-3orc.src.rpm
perl-NetAddr-IP-4.004-2orc.src.rpm
perl-Net-CIDR-Lite-0.20-3orc.src.rpm
perl-Net-DNS-Resolver-Programmable-v0.003-1orc.src.rpm
perl-Net-Ident-1.20-1.rf.src.rpm
perl-PAR-Dist-0.25-1.orc.src.rpm
perl-PAR-Dist-0.34-2orc.src.rpm
perl-Pod-Coverage-0.18-1.rf.src.rpm
perl-Pod-Escapes-1.04-1orc.src.rpm
perl-Pod-Readme-0.081-3orc.src.rpm
perl-Pod-Simple-3.04-1orc.src.rpm
perl-Test-Pod-1.26-4orc.src.rpm
perl-Test-Pod-Coverage-1.08-6orc.src.rpm
perl-Test-Portability-Files-0.05-6orc.src.rpm
perl-version-0.69-1orc.src.rpm
perl-YAML-0.66-3orc.src.rpm
razor-agents-2.81-2.fc4.rf.src.rpm
repodata
spamassassin-3.3.0-0.29.rc1orc.src.rpm
spamassassin-3.3.0-5orc.src.rpm
spamassassin-3.3.1-2orc.src.rpm
[herrold at trap SRPMS]$

note: 'trap' is named for the comment by Admiral Ackbar in the 
first Star Wars, as in: "It's a ..."


I discontinued making signed binary content generally 
available, and withdrew general anonymous FTP access to such 
except as required by license, as a general rule, since before 
I captured this content [1] in '00 as part of implementing the 
strategy we came up with at the ORC Project 2000 retreat [2] 
or for a former ORC 'Live Wire' project.  Certainly by RHL 6.2 
days.  What a nice release that was


The statement on the CentOS site, seemingly placed by donovan 
in late 2004, relates to CentOS [and contains some spam whch 
I'll go kill off shortly].  Donovan came to CentOS via Lance 
as I recall, ex WhiteBox, and I do not know particularly that 
that I was aware of that content.  If I were, I would have 
corrected the form and capitalization of 'redhat' to an 
accurate one

-- Russ herrold

[1] http://www.owlriver.com/clippings/2000-10-17.309.html
[2] http://www.owlriver.com/2000/