[CentOS-devel] Security and other updates - too slow
lpancescu at gmail.com
Sun Dec 18 10:35:52 UTC 2016
On 16/12/16 00:43, Phil Wyett wrote:
> As I see it the longer the time between
> vendor release and CentOS release people know that we are hittable if
> they have a viable exploit?
That's true, and I think that's the primary reason for the
recommendation to pay for RHEL for critical systems. This applies for
any distro that builds on top of another, not just CentOS - there will
always be a delay due to rebuilding the binaries. If paying for a
commercial enterprise distro isn't possible, and you need both long-term
stability and immediate security updates, the only other options I'm
aware of are Debian and Ubuntu LTS.
> I ask this as I see that the core SIG is not concentrating on the job at
> hand and concentrating on the work of their new masters - Red Hats
> CentOS? Their heads are in the cloud. ;-)
"their new masters"? Really?! So everyone who disagrees, or simply
happens to be interested in using CentOS in the cloud, is a mindless
servant of some evil master? There was actually a lot of work going on
for the transition to 7.3, and "the cloud" was certainly not the reason
for the delay. If anything, the cloud stuff was somewhat neglected in
favor of the core distro during the transition. The 1611 Vagrant
release wasn't as smooth as I would have liked due to the unforeseen
problems with XFS compatibility.
There is no community version of e.g. SLES; CentOS and other RHEL clones
can only exist because Red Hat provides the RHEL sources to _everybody_,
not just to their customers, as the GPL requires them to. They have
enough engineers as it is, I doubt their cloud effort would be doomed
without the 5 people in the CentOS Core SIG. And if they wanted to
sabotage CentOS, they could just stop publishing the sources, instead of
resorting to secretive orders to the CentOS Core team. I see the
opposite, their engineers actively helping CentOS in the SIGs, not to
mention Fedora too. They do this because they want to, but they don't
owe us anything; I feel that imperative, loud demands for them (or
anybody else for that matter) to behave in a certain way, or to spend
resources to do stuff for us for free, pretty troubling.
I see Red Hat's hiring of the Core team as a positive thing, since it
provides financial stability for them to be able to work full-time on
the distro (Red Hat has a pretty hands-off approach regarding the team,
if I understood correctly). I don't think it would be in anybody's best
interest to have a repeat of the difficult transition to CentOS 6, but,
if Red Hat's direct involvement concerns you, why don't you see if you
can help Scientific Linux? It's an independent, active RHEL clone,
developed by Fermilab and several universities and science labs (CERN
switched to CentOS 7, but they used SL 6 before and co-developed it).
I am not associated with Red Hat in any way, and never was their
employee, contractor, shareholder or whatever. I spent most time on
Debian since 2001 (although Red Hat Linux 4.2 was the first distro I
tried, back in 1997), but I am aware of the huge positive impact Red Hat
had, if only from the press - they were there from the beginning, one of
the first distros and Linux companies. The Linux kernel wouldn't be
where it is today without them hiring a pretty large number of kernel
hackers, and they are the second biggest corporate contributor to the
Linux kernel, right behind Intel. They offered free licenses to
their patents for open-source software, open-sourced pretty much
everything they did or got from acquisitions, they sponsor a large
number of open-source projects (I'm not aware of any attempt to
influence or control the direction of projects they sponsor) and even
paid commercial font foundries to design good fonts for the Linux
desktop, and released them for everyone to use. And other distros also
benefit from tools developed by Red Hat or Fedora: I remember having
used the readahead-fedora package in Debian, a few years ago, to
significantly reduce my boot time.
> What bothers me is the docs behind the meetings. How are you
> engaging the community. No your not... You have a club going and the
> masses don't see what is going on.
> Real docs! CentOS is not a community project!
Obvious as that might be, I have a different opinion. The meetings are
held on #centos-devel, and the minutes are publicly available on the
web. If documentation is missing or obsolete, it's just because of a
lack of resources, not an attempt to keep people out. I had problems
with the CentOS Vagrant images some months ago, and, after debugging
together with Karanbir and others about 3 days on #centos-devel,
Karanbir asked me if I wouldn't be interested in becoming a contributor.
They brought me up to speed via direct links to the wiki, there were
some direct sessions with Brian and the rest, just emails, conversations
on IRC, bug tracking, patches on GitHub... If the documentation are
lacking, just ask people on #centos-devel, they were always very helpful.
As for Karanbir, he was always immensely helpful and he sometimes
answered my questions even late at night - I don't think he should
apologize to anyone in this case.
More information about the CentOS-devel