[CentOS-devel] Security and other updates - too slow

Fri Dec 16 13:12:32 UTC 2016
Laurentiu Pancescu <lpancescu at gmail.com>

On 16/12/16 12:08, Karanbir Singh wrote:
> On 16/12/16 10:49, Trevor Hemsley wrote:
>> 7.3.1611 took 39 days from the upstream release which is 2 weeks longer
>> than the previous el7 drops.
>
> I am going to try and work this out - plan on doing a better teardown
> and work through the issues early Jan once this release has settled. We
> got a few things right, a couple of things went sideways. But I agree,
> we should aim to turn around a major release in 15 days or less.

I'm pretty new to CentOS: since only the last official release is 
supported, does this mean that users get no security updates at all 
during the time frame between Red Hat's official RHEL 7.3 release and 
the availability of our rebuild?  Something like 15 days ideally, or 39 
days in this particular instance?  If this is true, perhaps we should 
enable the CR repo by default, at the risk of stuff breaking?

During the normal lifetime of a point release, security updates normally 
become available 24-72 hours after Red Hat publishes the fixes - has 
that changed recently?

Another issue with security updates is how long it sometimes takes for 
them to arrive in our SCL repositories.  In one case, there was a delay 
of 4 months for PHP[1] and I also remember a critical fix for Python 3 
taking several weeks.  Couldn't we get some sort of notification on new 
commits in Red Hat's public repo?

[1] https://www.redhat.com/archives/sclorg/2014-November/msg00008.html
[2] https://www.redhat.com/archives/sclorg/2014-November/msg00005.html

>> The latest https://rhn.redhat.com/errata/RHSA-2016-2946.html which is a
>> critical update for firefox released on the 14th is still not released
>> for CentOS 7 after 2 days.

The original advisory[3] for Firefox 50.1 lists a few more CVEs than Red 
Hat's bulletin (the critical security fixes are backported by Mozilla in 
the ESR version "where feasible", which is why the Canonical Security 
Team decided to offer the normal Firefox releases in Ubuntu LTS, not the 
ESR ones). [4]

[3] https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/
[4] http://www.chriscoulson.me.uk/blog/?p=111

Best regards,
Laurențiu