[CentOS-devel] Before You Get Mad About The CentOS Stream Change, Think About…

On 12/24/2020 11:21 PM, Ljubomir Ljubojevic wrote:
> On 12/23/20 11:43 PM, Gordon Messmer wrote:
>> It's pretty close, with one significant caveat: for (roughly) two months
>> out of the year, CentOS doesn't get any updates at all, including
>> security patches.  For me, that's an awfully big risk. I would much
>> rather get features on a regular basis than go without security patches
>> for a month, twice per year.
> Every CentOS user accepts this as part of the "free" offering. Anyone
> that has problem with this gap has bought RHEL subscription, as would
> have I if it was important enough for me.
>
> But I would not have said there are no security for entire 2 months
> because CentOS devs have been pushing important security updates into CR
> repooitory for instance, if I remember correctly. But again, you are
> either OK with the wait or you buy RHEL subscription, that was the deal
> everyone accept.

It's also worth pointing out that in cases where we're known to be in a 
delay period (such as just after a point release) or where there's a 
critical CVE and neither RHEL nor the CentOS updates have dropped, it's 
not uncommon for a critical update to just be rolled internally.

Take the existing SRPM, apply patch, call it N-V-R.1+ test the fix, sign 
and insert into your private yum repo that you inevitably have. Done. 
When the upstream and/or vendor fix is released, it will silently 
upgrade in place over yours with the official version. Large CentOS 
installs have teams of Linux systems engineers capable of doing this if 
a relevant security fix needs to go out.

But this depends on having a predictable upstream, and a stable 
foundation on which to build on top of. I.e., coherent OS release 
management with /updates/ layered over it. CentOS CR/Stream does not 
have this, which is why it is not generally suitable for production use 
on actual, persistent boxes.

-jc