On 10/7/20 5:30 PM, Antal Nemeš wrote: > > >> -----Original Message----- >> From: CentOS-devel <centos-devel-bounces at centos.org> On Behalf Of >> Leon Fauster via CentOS-devel >> Sent: Wednesday, 7 October 2020 23:41 >> To: centos-devel at centos.org >> Subject: Re: [CentOS-devel] Module version differences between RHEL8 and >> Centos8? >>> >> Am 07.10.20 um 16:46 schrieb Antal Nemeš: >>> >>> >>>> -----Original Message----- >>>> From: CentOS-devel <centos-devel-bounces at centos.org> On Behalf Of >>>> Leon Fauster via CentOS-devel >>>> Sent: Wednesday, 7 October 2020 12:31 >>>> To: centos-devel at centos.org >>>> Subject: Re: [CentOS-devel] Module version differences between RHEL8 >>>> and Centos8? >>>> >>> <snip> >> > >>>> Cherry picking only sec updates is not supported by this distribution. >>>> It results in a combination of installed packages that is not tested. >>>> IIRC every RHSA has a statement that all (latest) packages must be >>>> applied to be "secure". In this case it is not worth the effort to >>>> map hashes but other objectives like reportable compliance will require >> such metadata. >>> >>> I have not observed such statements in RHSA, at least not for RHEL8. Do >> you have a reference I can look at? >>> RHEL8 docs clearly make a provision for it: >>> https://access.redhat.com/documentation/en- >> us/red_hat_enterprise_linux >>> /8/html/managing_and_monitoring_security_updates/installing-security-u >>> pdates_managing-and-monitoring-security-updates >> >> >> As I said (IIRC) - I remember that the mentioned sentence where >> everywhere placed: Like here >> >> https://access.redhat.com/errata/RHBA-2020:3264 >> >> but it seems not to be on every errata anymore ... > > Thanks for the reference. I see this note consistently on RHBA, but I have so far not seen it on any RHSA. > Regardless .. it is on the link listed in solutions: https://access.redhat.com/articles/11258 Quote: Applying package updates on Red Hat Enterprise Linux 8 Before installing an update, make sure all previously released errata relevant to the system have been applied. No one tests for mixed and skipped errata .. RHEL or CentOS. From a security only perspective, the security updates are obviously most important. That does not make bugfix updates unimportant. The only certified solution is the one on each active channel that includes all released updates. That is true regardless of the OS. Red Hat does provide some updates in an extended tree for some releases, but those EAS/EUS trees still require all the rpms to be the latest released in that tree .. not a mixed and matched hodge podge where you have older rpms mixed with newer rpms. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20201008/3a81e258/attachment-0006.sig>