On 12/24/2020 11:21 PM, Ljubomir Ljubojevic wrote: > On 12/23/20 11:43 PM, Gordon Messmer wrote: >> It's pretty close, with one significant caveat: for (roughly) two months >> out of the year, CentOS doesn't get any updates at all, including >> security patches. For me, that's an awfully big risk. I would much >> rather get features on a regular basis than go without security patches >> for a month, twice per year. > Every CentOS user accepts this as part of the "free" offering. Anyone > that has problem with this gap has bought RHEL subscription, as would > have I if it was important enough for me. > > But I would not have said there are no security for entire 2 months > because CentOS devs have been pushing important security updates into CR > repooitory for instance, if I remember correctly. But again, you are > either OK with the wait or you buy RHEL subscription, that was the deal > everyone accept. It's also worth pointing out that in cases where we're known to be in a delay period (such as just after a point release) or where there's a critical CVE and neither RHEL nor the CentOS updates have dropped, it's not uncommon for a critical update to just be rolled internally. Take the existing SRPM, apply patch, call it N-V-R.1+ test the fix, sign and insert into your private yum repo that you inevitably have. Done. When the upstream and/or vendor fix is released, it will silently upgrade in place over yours with the official version. Large CentOS installs have teams of Linux systems engineers capable of doing this if a relevant security fix needs to go out. But this depends on having a predictable upstream, and a stable foundation on which to build on top of. I.e., coherent OS release management with /updates/ layered over it. CentOS CR/Stream does not have this, which is why it is not generally suitable for production use on actual, persistent boxes. -jc