[CentOS-devel] moving the CR repo into mainstream release

Tue Nov 22 20:00:02 UTC 2011
Marko Bevc <marko at bevc.net>

Well my 5c...nothing beeing wrong with CR repo but does it not upstream 
provider(RH) deploys updates as they come? so if you put them as you 
compile them in the main Repo it would be the same? :) (maybe just chech 
the order...)

  On Tue, 22 Nov 2011, 
Les Mikesell wrote:

> On Tue, Nov 22, 2011 at 2:55 AM, Johnny Hughes <johnny at centos.org> wrote:
>>> The question is whether this person would be better off getting
>>> security updates that were built post-minor-rev-update or not in a
>>> default 'yum update'.   It's a yes or no question, where recommending
>>> doing one thing and making the default something else doesn't make a
>>> lot of sense.   With/without the CR approach, the non-security related
>>> updates are going to come along for the ride, and you will probably
>>> want them anyway.
>> BUT ... I think that giving the user the choice is certainly preferable.
> You have always had the choice of running 'yum update' or not.  Or
> running it for specific packages.  Or looking at the list it offers
> and making the choice then.  That's for people who are paying
> attention.   The question is what should happen if you don't pay
> attention and just expect 'yum update' to always install all available
> security updates for the life of the major rev like it always had
> before, dragging along some other bugfixes at minor releases.
>> We offer, at some increased risk (due to less QA), a repo staged updates.
> I think the risk factor goes the other way, at least for any machine
> that needs updates at all.  We just haven't had a well-known exploit
> to show it yet.
>> We made this very easy to get ... just run yum install centos-release-cr
>> if you want it.
>> But we give the customer the option to take the increase risk or not.
> That would be reduce the risk if any security issues are involved.
>> I think this is the RIGHT way to do this.
> Maybe it would have been from the beginning, but at this point I'd bet
> that there are a lot of CentOS installations that haven't updated and
> don't know that they have to do something new and different to get
> security updates.
>> I know that it means if you do not know how to manage your machine (and
>> issue a very simple command to get CR) then you don't get it ... but I
>> still think that the full repo with full QA should be the default.
> How long do you think it is reasonable to go without updates?  I'd
> call it mostly a matter of luck if you keep running after any
> combination of a remote exploit plus a local privilege escalation are
> known by anyone - and that has always been just a matter of time.
>> Then, we make people who want CR happy, they can install it and it works
>> after install ... and we make the people like Greg happy because he does
>> not have to do anything to turn it off if he perceives the risk is too
>> great to have it on.
> If updating is too much of a risk, don't update at all.  He's going to
> get the one he suggested as a problem as soon as you do a real release
> anyway. I don't think he really identified a problem related to having
> the minor rev updates come before a new anaconda/iso is available.
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.