[CentOS-devel] Security and other updates - too slow

Fri Dec 16 14:16:34 UTC 2016
Johnny Hughes <johnny at centos.org>

On 12/16/2016 07:12 AM, Laurentiu Pancescu wrote:
> On 16/12/16 12:08, Karanbir Singh wrote:
>> On 16/12/16 10:49, Trevor Hemsley wrote:
>>> 7.3.1611 took 39 days from the upstream release which is 2 weeks longer
>>> than the previous el7 drops.
>>
>> I am going to try and work this out - plan on doing a better teardown
>> and work through the issues early Jan once this release has settled. We
>> got a few things right, a couple of things went sideways. But I agree,
>> we should aim to turn around a major release in 15 days or less.
> 
> I'm pretty new to CentOS: since only the last official release is
> supported, does this mean that users get no security updates at all
> during the time frame between Red Hat's official RHEL 7.3 release and
> the availability of our rebuild?  Something like 15 days ideally, or 39
> days in this particular instance?  If this is true, perhaps we should
> enable the CR repo by default, at the risk of stuff breaking?

We don't get to look at source code before release of RHEL .. then we
get the source code on git.centos.org.

We have no real idea of the exact build order, it is trial and error.
Once we get rpms built, they go through some initial QA.  Then we
release them as CR.  Goals for each are listed below.

> 
> During the normal lifetime of a point release, security updates normally
> become available 24-72 hours after Red Hat publishes the fixes - has
> that changed recently?

That is for normal updates after the point release is done before the
next point release.

For a point release .. 7-14 days for CR and then 14-21 days for the
official tree (after CR) has always been the goal.

> 
> Another issue with security updates is how long it sometimes takes for
> them to arrive in our SCL repositories.  In one case, there was a delay
> of 4 months for PHP[1] and I also remember a critical fix for Python 3
> taking several weeks.  Couldn't we get some sort of notification on new
> commits in Red Hat's public repo?

SCLs are a SIG, not part of the Core SIG.  The SIG would have to address
that.

> 
> [1] https://www.redhat.com/archives/sclorg/2014-November/msg00008.html
> [2] https://www.redhat.com/archives/sclorg/2014-November/msg00005.html
> 
>>> The latest https://rhn.redhat.com/errata/RHSA-2016-2946.html which is a
>>> critical update for firefox released on the 14th is still not released
>>> for CentOS 7 after 2 days.
> 
> The original advisory[3] for Firefox 50.1 lists a few more CVEs than Red
> Hat's bulletin (the critical security fixes are backported by Mozilla in
> the ESR version "where feasible", which is why the Canonical Security
> Team decided to offer the normal Firefox releases in Ubuntu LTS, not the
> ESR ones). [4]
> 
> [3] https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/
> [4] http://www.chriscoulson.me.uk/blog/?p=111
> 
> Best regards,
> Laurențiu
> _______________________________________________
> CentOS-devel mailing list
> CentOS-devel at centos.org
> https://lists.centos.org/mailman/listinfo/centos-devel


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20161216/24b5328d/attachment-0008.sig>