On 23/07/10 05:00, R P Herrold wrote: > On Fri, 23 Jul 2010, Ned Slider wrote: > >>> Tough. Not me, thank you. This is a labor of love, and if >>> you want commercial SLA's you'll have to buy them from me. >>> Prices on request of a serious offer to purchase >>> http://www.owlriver.com/wings/ > >> I'm confused as to exactly what you are saying here. The CentOS Project >> FAQ states: >> >> Q. How long after redhat publishes a fix does it take for CentOS to >> publish a fix? >> >> A. Our goal is to have individual RPM packages available on the mirrors >> within 72 hours of their release, and normally they are available within >> 24 hours. >> >> https://www.centos.org/modules/smartfaq/faq.php?faqid=7 > >> Are you implying that you will provide security updates >> under a paid SLA agreement but not to the wider CentOS >> Community? > > Stop being coy and a trolling Bozo -- Of course I do, and have > for many many years, long predating CentOS -- if you are > unaware of that you have not thought through the timing and > the history > Then let me be a little less coy and and put some substance around my question. I started this thread, entitled "Missing security updates", because the CentOS documentation indicates that it is the Project's goal to provide updates within 1-3 days (notwithstanding we all appreciate this is a voluntary effort conducted in peoples free time). I and others have filed bug reports as requested about such missing updates once the indicated time period has elapsed. People currently expect updates within 72 hours, and normally within 24 hours, not because they are greedy leechers who simply take from your wonderful FOSS project, but because you have created that expectation within your own documentation. My question to you arises from the fact that when I and others have again raised the issue, your reply which I quoted above appears to be in direct contradiction to the perceived current position. To my reading, you imply you don't care about the timeliness of updates and that if one does care about such things then one should purchase an SLA agreement from your private consulting company. And it was sent from an @centos.org address. Now that's fine, just that it's in contradiction to what most people currently perceive to be the case and as is stated on the CentOS website, hence why I seek clarification. I'm sorry if you feel that is coy or trolling. I'm asking a simple question - please clarify the policy on security updates. If the answer is we don't care, that's also fine but lets update the website FAQ/documentation to reflect that position. If the position remains as stated on the website then your response quoted above to my thread is inaccurate, impolite and confusing an important issue which requires clarity. I ask because it's important to me. I know it's important to others too. I suspect it's important to many others. It's *not* important to me because I *need* CentOS security updates quickly - I don't. As I and others have been told many times before, I have Red Hat entitlements where needed, and I can and do build my own security updates for those machines not covered by RHEL licences. It's important to me because I want to see the CentOS project succeed and I care about the millions of unprotected CentOS servers on the Internet that are missing security updates at any given time. It hurts the reputation of the project, it affects the (online) neighbourhood I live in; so I care deeply. It's immensely frustrating when we see that security updates are missing, we get publicly berated for asking when we might expect them to be delivered, we get told the issue doesn't exist unless a bug is filed, bugs get filed that go unanswered and unacknowledged. Inevitably every few months it comes to a head in a thread like this and the response is CentOS developers becoming defensive (or even offensive) to those that ask. All it really takes it a little communication. The only people that have really communicated anything useful in this whole thread is Tru who has held his hands up and said he's been busy with real life (thanks Tru - much appreciated and we all understand that), and Karan who as informed us he is doing his best to cover for Tru but acknowledges that by his own very high standards that he isn't currently doing as good a job as he might have hoped. Again, we understand that, that's fine and all we have any right to expect. Is it really so difficult to communicate that on a regular basis? These things all stem from not knowing/a lack of information. > * shrug * > > But, not under a CentOS signing key. The rest of your posting is largely irrelevant to this thread and the issue of missing CentOS updates IMHO.