[CentOS-devel] Security and other updates - too slow

Fri Dec 16 14:15:18 UTC 2016
Karanbir Singh <mail-lists at karan.org>

On 16/12/16 13:12, Laurentiu Pancescu wrote:
> I'm pretty new to CentOS: since only the last official release is
> supported, does this mean that users get no security updates at all
> during the time frame between Red Hat's official RHEL 7.3 release and
> the availability of our rebuild?  Something like 15 days ideally, or 39
> days in this particular instance?  If this is true, perhaps we should
> enable the CR repo by default, at the risk of stuff breaking?

the CR repo will typically see content at point release time fairly
quickly. Through the life of the release, security updates are released
within 24 hrs. The avg time in the last 12 months has been less than 18
hrs or so.

the CR model is perhaps something we need to reconsider a bit - there is
wider impact than just the distro; eg. the SIGs needed to line up
content and we tried to work with the ci infra and the cbs infra to get
something like a sync release out - and it didnt work out as planned.
When we did not do this last time, we also had impact - just that this
time it was different. And we should have that conversation, build the
model and the automation required around it - and get better next time.

The 15 day point is for the distro content turnaround. To me, that means
any existing user should be able to yum update to the new content - not
always mapping to the ISO media itself.

> During the normal lifetime of a point release, security updates normally
> become available 24-72 hours after Red Hat publishes the fixes - has
> that changed recently?

Its only gotten better.

> Another issue with security updates is how long it sometimes takes for
> them to arrive in our SCL repositories.  In one case, there was a delay
> of 4 months for PHP[1] and I also remember a critical fix for Python 3
> taking several weeks.  Couldn't we get some sort of notification on new
> commits in Red Hat's public repo?
> 
> [1] https://www.redhat.com/archives/sclorg/2014-November/msg00008.html
> [2] https://www.redhat.com/archives/sclorg/2014-November/msg00005.html

This is really something to work with the SCLo SIG around, maybe we can
do some automation and help with testing in someway to try and improve
that delta ?

>>> The latest https://rhn.redhat.com/errata/RHSA-2016-2946.html which is a
>>> critical update for firefox released on the 14th is still not released
>>> for CentOS 7 after 2 days.
> 
> The original advisory[3] for Firefox 50.1 lists a few more CVEs than Red
> Hat's bulletin (the critical security fixes are backported by Mozilla in
> the ESR version "where feasible", which is why the Canonical Security
> Team decided to offer the normal Firefox releases in Ubuntu LTS, not the
> ESR ones). [4]
> 
> [3] https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/
> [4] http://www.chriscoulson.me.uk/blog/?p=111
> 


-- 
Karanbir Singh
+44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh
GnuPG Key : http://www.karan.org/publickey.asc