[CentOS-devel] CentOS-[56] Continous Release

Tue Jun 21 22:41:06 UTC 2011
Ljubomir Ljubojevic <office at plnet.rs>

Les Mikesell wrote:
> On 6/21/2011 3:00 PM, Ljubomir Ljubojevic wrote:
>> Les Mikesell wrote:
>>> So, if you were managing an internet connected host running CentOS,
>>> would you configure it to track the CR repo or not?  Or what criteria
>>> would you use to make this decision?  I'm still having trouble seeing
>>> why, if upstream decided they should go out, that someone running what
>>> is essentially identical to that upstream code doesn't need them for the
>>> same reasons.  Or why to think the risk of installing them outweighs the
>>> risk of continuing to run what upstream had its reasons to replace.
>> We are not talking about regular updates, but **only** the time between
>> RHEL point release and CentOS point release. So completed packages do
>> not wait for *all* packages and ISO's to be released, but are available
>> as soon as QA team approves them.
>> If there is fundamental error for a base package that requires for some
>> of those packages to be recompiled, we need to have some kind of
>> automatic protection for that case scenario.
> That doesn't address the risk of *not* installing these updates. 
> Generally speaking, I think most users of CentOS trust upstream's 
> choices and for me that includes when it is time to fix the bugs they 
> shipped last time around.  And generally speaking, I trust the CentOS 
> project to be able to recompile working source and catch obvious 
> mistakes before pushing them out.
> So, again, under what circumstances does anyone think it is a good idea 
> to not opt into this repo and instead keep running code that will very 
> likely have published exploits over a time span that we've seen can run 
> for months?  I agree that this is a fuzzy area where not all of the 
> point release updates address vulnerabilities or even serious bugs, but 
> some certainly will.  It just seems to me that not doing them is betting 
> against the upstream wisdom or the project's building/QA capability. 
> But I also agree that yum should be smarter and know something about 
> rebuilds with no source change.
I finally understand what you are talking about.
Who said anything about not releasing critical updates as soon as srpms 
are available (in "updates" repo)? I am sure that every security patch 
will still be released as soon as it is rebuild, unless it requires a 
package that has build problems that will actually hold entire build 
process, in which case even CR repo will not help.