Am 07.10.20 um 16:46 schrieb Antal Nemeš: > > >> -----Original Message----- >> From: CentOS-devel <centos-devel-bounces at centos.org> On Behalf Of >> Leon Fauster via CentOS-devel >> Sent: Wednesday, 7 October 2020 12:31 >> To: centos-devel at centos.org >> Subject: Re: [CentOS-devel] Module version differences between RHEL8 and >> Centos8? >> > <snip> > >> Cherry picking only sec updates is not supported by this distribution. >> It results in a combination of installed packages that is not tested. >> IIRC every RHSA has a statement that all (latest) packages must be applied to >> be "secure". In this case it is not worth the effort to map hashes but other >> objectives like reportable compliance will require such metadata. > > I have not observed such statements in RHSA, at least not for RHEL8. Do you have a reference I can look at? > RHEL8 docs clearly make a provision for it: > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_and_monitoring_security_updates/installing-security-updates_managing-and-monitoring-security-updates As I said (IIRC) - I remember that the mentioned sentence where everywhere placed: Like here https://access.redhat.com/errata/RHBA-2020:3264 but it seems not to be on every errata anymore ... -- Leon