[CentOS-devel] Security and other updates - too slow

Sun Dec 18 10:35:52 UTC 2016
Laurentiu Pancescu <lpancescu at gmail.com>

On 16/12/16 00:43, Phil Wyett wrote:
> As I see it the longer the time between
> vendor release and CentOS release people know that we are hittable if
> they have a viable exploit?

That's true, and I think that's the primary reason for the 
recommendation to pay for RHEL for critical systems.  This applies for 
any distro that builds on top of another, not just CentOS - there will 
always be a delay due to rebuilding the binaries.  If paying for a 
commercial enterprise distro isn't possible, and you need both long-term 
stability and immediate security updates, the only other options I'm 
aware of are Debian and Ubuntu LTS.

> I ask this as I see that the core SIG is not concentrating on the job at
> hand and concentrating on the work of their new masters - Red Hats
> CentOS? Their heads are in the cloud. ;-)

"their new masters"?  Really?!  So everyone who disagrees, or simply 
happens to be interested in using CentOS in the cloud, is a mindless 
servant of some evil master?  There was actually a lot of work going on 
for the transition to 7.3, and "the cloud" was certainly not the reason 
for the delay.  If anything, the cloud stuff was somewhat neglected in 
favor of the core distro during the transition.  The 1611 Vagrant 
release wasn't as smooth as I would have liked due to the unforeseen 
problems with XFS compatibility.

There is no community version of e.g. SLES; CentOS and other RHEL clones 
can only exist because Red Hat provides the RHEL sources to _everybody_, 
not just to their customers, as the GPL requires them to.  They have 
enough engineers as it is, I doubt their cloud effort would be doomed 
without the 5 people in the CentOS Core SIG.  And if they wanted to 
sabotage CentOS, they could just stop publishing the sources, instead of 
resorting to secretive orders to the CentOS Core team.  I see the 
opposite, their engineers actively helping CentOS in the SIGs, not to 
mention Fedora too.  They do this because they want to, but they don't 
owe us anything; I feel that imperative, loud demands for them (or 
anybody else for that matter) to behave in a certain way, or to spend 
resources to do stuff for us for free, pretty troubling.

I see Red Hat's hiring of the Core team as a positive thing, since it 
provides financial stability for them to be able to work full-time on 
the distro (Red Hat has a pretty hands-off approach regarding the team, 
if I understood correctly).  I don't think it would be in anybody's best 
interest to have a repeat of the difficult transition to CentOS 6, but, 
if Red Hat's direct involvement concerns you, why don't you see if you 
can help Scientific Linux?  It's an independent, active RHEL clone, 
developed by Fermilab and several universities and science labs (CERN 
switched to CentOS 7, but they used SL 6 before and co-developed it).

I am not associated with Red Hat in any way, and never was their 
employee, contractor, shareholder or whatever.  I spent most time on 
Debian since 2001 (although Red Hat Linux 4.2 was the first distro I 
tried, back in 1997), but I am aware of the huge positive impact Red Hat 
had, if only from the press - they were there from the beginning, one of 
the first distros and Linux companies.  The Linux kernel wouldn't be 
where it is today without them hiring a pretty large number of kernel 
hackers, and they are the second biggest corporate contributor to the 
Linux kernel, right behind Intel.[1]  They offered free licenses to 
their patents for open-source software, open-sourced pretty much 
everything they did or got from acquisitions, they sponsor a large 
number of open-source projects (I'm not aware of any attempt to 
influence or control the direction of projects they sponsor) and even 
paid commercial font foundries to design good fonts for the Linux 
desktop, and released them for everyone to use.  And other distros also 
benefit from tools developed by Red Hat or Fedora: I remember having 
used the readahead-fedora package in Debian, a few years ago, to 
significantly reduce my boot time.

[1] 
https://www.linux.com/blog/top-10-developers-and-companies-contributing-linux-kernel-2015-2016

> What bothers me is the docs behind the meetings. How are you
> engaging the community. No your not... You have a club going and the
> masses don't see what is going on.
>
> Real docs! CentOS is not a community project!

Obvious as that might be, I have a different opinion.  The meetings are 
held on #centos-devel, and the minutes are publicly available on the 
web.  If documentation is missing or obsolete, it's just because of a 
lack of resources, not an attempt to keep people out.  I had problems 
with the CentOS Vagrant images some months ago, and, after debugging 
together with Karanbir and others about 3 days on #centos-devel, 
Karanbir asked me if I wouldn't be interested in becoming a contributor. 
  They brought me up to speed via direct links to the wiki, there were 
some direct sessions with Brian and the rest, just emails, conversations 
on IRC, bug tracking, patches on GitHub...  If the documentation are 
lacking, just ask people on #centos-devel, they were always very helpful.

As for Karanbir, he was always immensely helpful and he sometimes 
answered my questions even late at night - I don't think he should 
apologize to anyone in this case.

Best regards,
Laurențiu