On 12/8/20 1:39 PM, Mauricio Tavares wrote: > On Tue, Dec 8, 2020 at 12:00 PM Johnny Hughes <johnny at centos.org> wrote: >> >> On 12/8/20 8:58 AM, Manuel Wolfshant wrote: >>> On 12/8/20 4:47 PM, Patrick Riehecky wrote: >>>> Hello, >>>> >>>> Does >>>> https://centos.org/distro-faq/#q5-does-this-mean-that-centos-stream-is-the-rhel-beta-test-platform-now >>>> >>>> address your concerns? >>> >>> When I see "Security issues will be updated in CentOS Stream after they >>> are solved in the current RHEL release." I can only reply your question >>> with "No, it does not" >> >> That is NO different that now. We build CentOS updates after they are >> released in RHEL and then the source code is pushed to git.centos.org >> .. we always have. >> >> This is no different. The security updates will be pushed to stream >> after they have been pushed to RHEL .. just like now. > > So it will get package upgrades first because it is supposed to > be RHEL +0.1 but will get security patches later since in that aspect > it is RHEL -0.1. When Red Hat does security update .. they will do it to the current RHEL version first. Lets say a new issue is discovered in xorg. Today they will fix the issue and send it to qa. While it is in testing they will start working to port it to Stream (stream usually is slightly newer version of the same package .. the current fix MIGHT not work as is). QA is done on the security fix now .. the push it to RHEL .. part of that process is to release the source code to git.centos.org. They will likely also roll out the fix NOW into stream if it is ready. That is when we would get it in the current CentOS process. We then have to build it and release it. They will also now build this for stream .. very soon after it got released into RHEL and almost exactly with the same timing we currently have in CentOS Linux. How do we know they will .. because the security patches rooled into Stream will be used to BUILD other software in stream. It does no one any good to have bad software built against non-secure software that they are using in the RHEL development process. Therefore, it makes no sense for them NOT to roll stuff into stream the day it goes into RHEL.