[CentOS-devel] Module version differences between RHEL8 and Centos8?

Wed Oct 7 14:46:53 UTC 2020
Antal Nemeš <Antal.Nemes at hycu.com>


> -----Original Message-----
> From: CentOS-devel <centos-devel-bounces at centos.org> On Behalf Of
> Leon Fauster via CentOS-devel
> Sent: Wednesday, 7 October 2020 12:31
> To: centos-devel at centos.org
> Subject: Re: [CentOS-devel] Module version differences between RHEL8 and
> Centos8?
> 
<snip>

>> Thanks, Josh. The context of my questions is that I am trying to determine
>> if an installed package/module has any known security vulnerabilities and
>> requires upgrading.
>> CentOS does not provide metadata to make yum/dnf updateinfo work
>> (https://bugs.centos.org/view.php?id=16560).
>> CentOS project is not submitting CESA to centos-announce for Centos 8.x.
>> CESA always referred to RHSA, so now I only have RHSA to rely on, and
>> need to translate updated packages from RHSA to CentOS packages. 

> Cherry picking only sec updates is not supported by this distribution.
> It results in a combination of installed packages that is not tested.
> IIRC every RHSA has a statement that all (latest) packages must be applied to
> be "secure". In this case it is not worth the effort to map hashes but other
> objectives like reportable compliance will require such metadata.

I have not observed such statements in RHSA, at least not for RHEL8. Do you have a reference I can look at?
RHEL8 docs clearly make a provision for it:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_and_monitoring_security_updates/installing-security-updates_managing-and-monitoring-security-updates

> >> It would be false to assume the same analysis and metadata applied to
> >> binaries that the product teams don't have control over or even look at
> >> simply because the NVR matched.
> >> Build order, build systems, etc all matter.  We make a point to be honest
> >>to our customers and to our community projects and only intend errata
> >>metadata to cover RHEL itself.
> >>
> >> Metadata about CentOS binaries should come from the CentOS project
> >>and systems using that OS should rely on that.
> >
> > I agree, but CentOS project does not make such metadata (e.g. CESA,
> updateinfo) available.
> 
> 
> I think the CentOS project has no resources for that and this is what RHEL
> provides.

I am not asking CentOS project to make this metadata available.
I am just looking for ways to make use of what is already publically available by RedHat and endorsed by CentOS project.
Right now, the only obstacle to getting a (decent) translation of OVAL definition from RHEL8 to Centos8 is the module version mapping.

> --
> Leon
> _______________________________________________
> CentOS-devel mailing list
> CentOS-devel at centos.org
> https://lists.centos.org/mailman/listinfo/centos-devel