[CentOS-devel] CentOS 5.7 has no centos-release-cr package

Wed Sep 28 09:13:36 UTC 2011
Kevin Stange <kevin at steadfast.net>

On 09/28/2011 04:07 AM, Johnny Hughes wrote:
> On 09/28/2011 03:31 AM, Xavier Bachelot wrote:
>> On 09/23/2011 10:25 PM, Johnny Hughes wrote:
>>> On 09/22/2011 08:16 PM, Ben Galliart wrote:
>>>> On 09/17/2011, Karanbir Singh wrote:
>>>>
>>>>> Now back to the question on hand, centos-release-cr in 5.7..
>>>>
>>>>> Perhaps the best place for the centos-release-cr is in the updates/
>>>>> repo, rather than the /cr/ repo, since that way it would further reduce
>>>>> the barrier for people to opt-in, a simple 'yum install
>>>>> centos-releae-cr' would get them on the track, and keep them there till
>>>>> such time as they want to opt-out.
>>>>
>>>> Is there any ETA as to when this could be done or at least decided on?
>>>
>>> There is no need to upgrade anything.  If you installed the package, you
>>> are on CR ... then and now.
>>>
>>> The CentOS-CR repo points to /5/cr/ (which is 5.7 now and was 5.6 when
>>> the repo file was released).
>>>
>>> It (/cr/) is currently empty because 5.7/os and 5.7/updates contain all
>>> the RPMS that are required to update from 5.6 (or any other version of
>>> CentOS).
>>>
>>> When 5.8 is released, the RPMs that are part of 5.8 will get put into
>>> the /5.7/cr/ and allow people who are opted in to get the updates before
>>> the 5.8 release.
>>>
>>> I think maybe putting the RPM in "extras", so it is easier to install is
>>> doable ... but not a huge issue.
>>>
>>> In fact, I have put it there.  centos-release-cr is now in extras.
>>>
>> What's the reasoning for putting centos-release-cr in the extras repo ? 
>> Imho, the package would fit better in either the updates or cr 
>> repositories (with a preference for the later), because these 2 repos 
>> allows to get upstream updates and only that, while extras carries a lot 
>> of packages not coming from upstream. Providing a repository yum 
>> configuration from within said repository is quite usual for other repos 
>> and it looks strange to have to use one repo to get the conf for another.
>>
>> The use case is to kickstart an install with base + updates + cr in 
>> order to have a fully updated and updatable system with only packages 
>> from upstream. Adding extras to the mix to be able to pull just the 
>> centos-release-cr package makes the use of other 3rd party repositories 
>> more difficult, as extras and 3rd party repo can and do provide 
>> overlapping packages. This is true for epel, I guess this is true for 
>> others 3rd party repos. Indeed, this can be worked around, but this adds 
>> some complexity.
> 
> It is not in the CR repo, because it's purpose is to enable the CR repo.
>  If you have to manually download it and install it (instead of using
> yum) to enable the repo, then it kind of defeats the purpose for it to
> be an RPM in the first place.  We could just provide the .repo file and
> say to put it in /etc/yum.repos.d/
> 
> It is not in updates because updates is just that ... updates to the
> packages already in base.  Updates is not the place for "Extra" packages
> that we need to distribute which are not in the upstream RPMS.  That is
> what extras is for...
> 
> Extras, on the other hand, is exactly for this kind of package.  It is a
> package, provided by CentOS, that is not upstream ... and is not
> replacing a package written by upstream.  Extras is also enabled by
> default, so all that is required is to run:
> 
> yum install centos-release-cr
> 
> To get it installed and enabled.  Once installed, it is enabled and it
> works from that point on.
> 
> My personal opinion is that an RPM is not even necessary for this repo
> ... and that all we should do is put a repo file in the repository
> itself and tell people do download it ... but if we are going to have an
> RPM for it, then that RPM should be hosted in the Extras repository.

What is the reason for this mentality?  KB specifically and strongly
recommended using CR between 5.6 and 5.7 because that entire time users
are without kernel and other security updates, some of which may be
exploitable easily.  Yet you suggest that rather than making it simple
to add the CR repo to an existing installation with a single "yum"
command and easily include the repo into a kickstart without having
write a post-install script, to make sure that users must do all the
work of a) discovering that CR exists in the first place and b) manually
downloading a file and then putting it in the correct place.

I think CR is extremely important unless CentOS will make a commitment
to turn around all new upstream releases within 2 weeks, which recently
has not happened.  CR needs to be widely publicized, easy to install,
and easy to opt-in early and permanently to avoid leaving so many
unpatched servers in the wild.

-- 
Kevin Stange
Chief Technology Officer
Steadfast Networks
http://steadfast.net

Phone: 312-602-2689 x203
Fax:   312-602-2688

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20110928/55ee1eab/attachment-0005.sig>