[CentOS-devel] moving the CR repo into mainstream release

Tue Nov 22 14:04:47 UTC 2011
Les Mikesell <lesmikesell at gmail.com>

On Tue, Nov 22, 2011 at 2:55 AM, Johnny Hughes <johnny at centos.org> wrote:
>>
>> The question is whether this person would be better off getting
>> security updates that were built post-minor-rev-update or not in a
>> default 'yum update'.   It's a yes or no question, where recommending
>> doing one thing and making the default something else doesn't make a
>> lot of sense.   With/without the CR approach, the non-security related
>> updates are going to come along for the ride, and you will probably
>> want them anyway.
>>
>
> BUT ... I think that giving the user the choice is certainly preferable.

You have always had the choice of running 'yum update' or not.  Or
running it for specific packages.  Or looking at the list it offers
and making the choice then.  That's for people who are paying
attention.   The question is what should happen if you don't pay
attention and just expect 'yum update' to always install all available
security updates for the life of the major rev like it always had
before, dragging along some other bugfixes at minor releases.

> We offer, at some increased risk (due to less QA), a repo staged updates.

I think the risk factor goes the other way, at least for any machine
that needs updates at all.  We just haven't had a well-known exploit
to show it yet.

> We made this very easy to get ... just run yum install centos-release-cr
> if you want it.
>
> But we give the customer the option to take the increase risk or not.

That would be reduce the risk if any security issues are involved.

> I think this is the RIGHT way to do this.

Maybe it would have been from the beginning, but at this point I'd bet
that there are a lot of CentOS installations that haven't updated and
don't know that they have to do something new and different to get
security updates.

> I know that it means if you do not know how to manage your machine (and
> issue a very simple command to get CR) then you don't get it ... but I
> still think that the full repo with full QA should be the default.

How long do you think it is reasonable to go without updates?  I'd
call it mostly a matter of luck if you keep running after any
combination of a remote exploit plus a local privilege escalation are
known by anyone - and that has always been just a matter of time.

> Then, we make people who want CR happy, they can install it and it works
> after install ... and we make the people like Greg happy because he does
> not have to do anything to turn it off if he perceives the risk is too
> great to have it on.

If updating is too much of a risk, don't update at all.  He's going to
get the one he suggested as a problem as soon as you do a real release
anyway. I don't think he really identified a problem related to having
the minor rev updates come before a new anaconda/iso is available.

-- 
   Les Mikesell
      lesmikesell at gmail.com