[CentOS-devel] https://blog.centos.org/2020/12/future-is-centos-stream/

Tue Dec 8 19:57:09 UTC 2020
Johnny Hughes <johnny at centos.org>

On 12/8/20 1:39 PM, Mauricio Tavares wrote:
> On Tue, Dec 8, 2020 at 12:00 PM Johnny Hughes <johnny at centos.org> wrote:
>>
>> On 12/8/20 8:58 AM, Manuel Wolfshant wrote:
>>> On 12/8/20 4:47 PM, Patrick Riehecky wrote:
>>>> Hello,
>>>>
>>>> Does
>>>> https://centos.org/distro-faq/#q5-does-this-mean-that-centos-stream-is-the-rhel-beta-test-platform-now
>>>>
>>>> address your concerns?
>>>
>>> When I see "Security issues will be updated in CentOS Stream after they
>>> are solved in the current RHEL release." I can only reply your question
>>> with "No, it does not"
>>
>> That is NO different that now.  We build CentOS updates after they are
>> released in RHEL and then the source code is pushed to git.centos.org
>> .. we always have.
>>
>> This is no different.  The security updates will be pushed to stream
>> after they have been pushed to RHEL .. just like now.
> 
>       So it will get package upgrades first because it is supposed to
> be RHEL +0.1 but will get security patches later since in that aspect
> it is RHEL -0.1.

When Red Hat does security update .. they will do it to the current RHEL
version first.

Lets say a new issue is discovered in xorg.  Today they will fix the
issue and send it to qa.  While it is in testing they will start working
to port it to Stream (stream usually is slightly newer version of the
same package .. the current fix MIGHT not work as is).

QA is done on the security fix now .. the push it to RHEL .. part of
that process is to release the source code to git.centos.org.  They will
likely also roll out the fix NOW into stream if it is ready.

That is when we would get it in the current CentOS process.  We then
have to build it and release it.

They will also now build this for stream .. very soon after it got
released into RHEL and almost exactly with the same timing we currently
have in CentOS Linux.

How do we know they will .. because the security patches rooled into
Stream will be used to BUILD other software in stream.  It does no one
any good to have bad software built against non-secure software that
they are using in the RHEL development process. Therefore, it makes no
sense for them NOT to roll stuff into stream the day it goes into RHEL.