[CentOS-devel] Security and other updates - too slow

Fri Dec 16 18:30:53 UTC 2016
Lamar Owen <lowen at pari.edu>

On 12/15/2016 06:43 PM, Phil Wyett wrote:
> How is the core SIG looking at improving and speeding up (more than one
> person) builds of updates? As I see it the longer the time between
> vendor release and CentOS release people know that we are hittable if
> they have a viable exploit?
I'm trying to not come across too harshly, but if you need a guaranteed 
speed of update, then you need to purchase an RHEL subscription.

The same source that is being rebuilt for CentOS is publicly available, 
and there is nothing preventing you from rebuilding it at the speed you 
need.

 From my point of view I'm happy just getting the updates at any time, 
even if there is a delay in release.  If I want better speed of updates, 
I buy RHEL subscriptions (and I do have one personally for a critical 
machine).  Or I rebuild from the same sources that CentOS uses, although 
I have found that the CentOS developers almost always beat me to getting 
packages built, even when I do try to do the rebuild myself. (As Johnny 
alluded to, it's not just 'take this group of sources and build in any 
arbitrary order' and the so-called point releases can be much more 
difficult than ordinary updates due to build order puzzles.)

The CentOS developers have, in my opinion, done a fantastic job of 
turning out timely updates since 6.0/5.6/4.9 days, and I am personally 
and professionally grateful for the time spent, at no cost to me, for 
this to happen.