[CentOS-devel] Missing security updates

Fri Jul 23 10:52:59 UTC 2010
Ned Slider <ned at unixmail.co.uk>

On 23/07/10 05:00, R P Herrold wrote:
> On Fri, 23 Jul 2010, Ned Slider wrote:
>>> Tough.  Not me, thank you.  This is a labor of love, and if
>>> you want commercial SLA's you'll have to buy them from me.
>>> Prices on request of a serious offer to purchase
>>>    	http://www.owlriver.com/wings/
>> I'm confused as to exactly what you are saying here. The CentOS Project
>> FAQ states:
>> Q. How long after redhat publishes a fix does it take for CentOS to
>> publish a fix?
>> A. Our goal is to have individual RPM packages available on the mirrors
>> within 72 hours of their release, and normally they are available within
>> 24 hours.
>> https://www.centos.org/modules/smartfaq/faq.php?faqid=7
>> Are you implying that you will provide security updates
>> under a paid SLA agreement but not to the wider CentOS
>> Community?
> Stop being coy and a trolling Bozo -- Of course I do, and have
> for many many years, long predating CentOS -- if you are
> unaware of that you have not thought through the timing and
> the history

Then let me be a little less coy and and put some substance around my 

I started this thread, entitled "Missing security updates", because the 
CentOS documentation indicates that it is the Project's goal to provide 
updates within 1-3 days (notwithstanding we all appreciate this is a 
voluntary effort conducted in peoples free time). I and others have 
filed bug reports as requested about such missing updates once the 
indicated time period has elapsed. People currently expect updates 
within 72 hours, and normally within 24 hours, not because they are 
greedy leechers who simply take from your wonderful FOSS project, but 
because you have created that expectation within your own documentation.

My question to you arises from the fact that when I and others have 
again raised the issue, your reply which I quoted above appears to be in 
direct contradiction to the perceived current position. To my reading, 
you imply you don't care about the timeliness of updates and that if one 
does care about such things then one should purchase an SLA agreement 
from your private consulting company. And it was sent from an 
@centos.org address. Now that's fine, just that it's in contradiction to 
what most people currently perceive to be the case and as is stated on 
the CentOS website, hence why I seek clarification. I'm sorry if you 
feel that is coy or trolling. I'm asking a simple question - please 
clarify the policy on security updates. If the answer is we don't care, 
that's also fine but lets update the website FAQ/documentation to 
reflect that position. If the position remains as stated on the website 
then your response quoted above to my thread is inaccurate, impolite and 
confusing an important issue which requires clarity.

I ask because it's important to me. I know it's important to others too. 
I suspect it's important to many others.

It's *not* important to me because I *need* CentOS security updates 
quickly - I don't. As I and others have been told many times before, I 
have Red Hat entitlements where needed, and I can and do build my own 
security updates for those machines not covered by RHEL licences. It's 
important to me because I want to see the CentOS project succeed and I 
care about the millions of unprotected CentOS servers on the Internet 
that are missing security updates at any given time. It hurts the 
reputation of the project, it affects the (online) neighbourhood I live 
in; so I care deeply.

It's immensely frustrating when we see that security updates are 
missing, we get publicly berated for asking when we might expect them to 
be delivered, we get told the issue doesn't exist unless a bug is filed, 
bugs get filed that go unanswered and unacknowledged. Inevitably every 
few months it comes to a head in a thread like this and the response is 
CentOS developers becoming defensive (or even offensive) to those that 
ask. All it really takes it a little communication. The only people that 
have really communicated anything useful in this whole thread is Tru who 
has held his hands up and said he's been busy with real life (thanks Tru 
- much appreciated and we all understand that), and Karan who as 
informed us he is doing his best to cover for Tru but acknowledges that 
by his own very high standards that he isn't currently doing as good a 
job as he might have hoped. Again, we understand that, that's fine and 
all we have any right to expect. Is it really so difficult to 
communicate that on a regular basis? These things all stem from not 
knowing/a lack of information.

> * shrug *
> But, not under a CentOS signing key.

The rest of your posting is largely irrelevant to this thread and the 
issue of missing CentOS updates IMHO.