[CentOS-devel] Security and other updates - too slow
Laurentiu Pancescu
lpancescu at gmail.com
Fri Dec 16 13:12:32 UTC 2016
On 16/12/16 12:08, Karanbir Singh wrote:
> On 16/12/16 10:49, Trevor Hemsley wrote:
>> 7.3.1611 took 39 days from the upstream release which is 2 weeks longer
>> than the previous el7 drops.
>
> I am going to try and work this out - plan on doing a better teardown
> and work through the issues early Jan once this release has settled. We
> got a few things right, a couple of things went sideways. But I agree,
> we should aim to turn around a major release in 15 days or less.
I'm pretty new to CentOS: since only the last official release is
supported, does this mean that users get no security updates at all
during the time frame between Red Hat's official RHEL 7.3 release and
the availability of our rebuild? Something like 15 days ideally, or 39
days in this particular instance? If this is true, perhaps we should
enable the CR repo by default, at the risk of stuff breaking?
During the normal lifetime of a point release, security updates normally
become available 24-72 hours after Red Hat publishes the fixes - has
that changed recently?
Another issue with security updates is how long it sometimes takes for
them to arrive in our SCL repositories. In one case, there was a delay
of 4 months for PHP[1] and I also remember a critical fix for Python 3
taking several weeks. Couldn't we get some sort of notification on new
commits in Red Hat's public repo?
[1] https://www.redhat.com/archives/sclorg/2014-November/msg00008.html
[2] https://www.redhat.com/archives/sclorg/2014-November/msg00005.html
>> The latest https://rhn.redhat.com/errata/RHSA-2016-2946.html which is a
>> critical update for firefox released on the 14th is still not released
>> for CentOS 7 after 2 days.
The original advisory[3] for Firefox 50.1 lists a few more CVEs than Red
Hat's bulletin (the critical security fixes are backported by Mozilla in
the ESR version "where feasible", which is why the Canonical Security
Team decided to offer the normal Firefox releases in Ubuntu LTS, not the
ESR ones). [4]
[3] https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/
[4] http://www.chriscoulson.me.uk/blog/?p=111
Best regards,
Laurențiu
More information about the CentOS-devel
mailing list