[CentOS-devel] Help Clair Support CentOS

Fri Apr 9 17:46:54 UTC 2021
Louis DeLosSantos <ldelossa at redhat.com>

Thanks for this info, this is very helpful for us.

I'm gaining that any matching between CentOS packages and RHEL packages
will be a "best guess" effort at best.

This is good information, and is what I sought out to gather.

Appreciate your response.

On Fri, Apr 9, 2021 at 11:54 AM Johnny Hughes <johnny at centos.org> wrote:

> On 4/9/21 10:27 AM, Louis DeLosSantos wrote:
> > Hello,
> >
> > My name is Louis and I'm the core maintainer of Clar:
> > https://github.com/quay/clair <https://github.com/quay/clair>
> >
> > Clair is a project for scanning containers for vulnerabilities.
> >
> > We'd like to support CentOS but we need a little help in the form of
> > information gathering.
> >
> > For Clair to properly support a distribution we typically require it to
> > have an official upstream vulnerability database. For example, RHEL has
> > their own Oval 2 feeds as does
> > Ubuntu, Suse, etc...
> >
> > What we are trying to determine is how we can extract packages from
> > CentOS containers and match against known vulnerabilities.
> >
> > We have the first half worked out already, we have generic RPM database
> > scanners which extract package names and versions.
> >
> > The second half is where we need some more information.
> >
> > A few questions:
> > * Does CentOS maintain its own security database for packages in its
> > downstream repositories ?
> > * If not, can we reliably treat any CentOS packages (name, versions)
> > identical to the way we treat RHEL packages. (For instance if we find
> > package A with version B can we attempt to match this against RHEL's
> > Oval v2 stream?)
> > * Can you provide any information on package naming, versioning, and
> > packaging that creates a difference between RHEL packages and CentOS?
> >
> > Thank you for your time, I look forward to hearing back.
> >
>
> CentOS 8 Linux is going EOL in 7 months .. I would not recommend doing
> anything for that WRT security info.
>
> CentOS 8 Stream will not have the exact versions from RHEL .. it will be
> slightly ahead of released RHEL (it will the the source code which will
> become the NEXT point release of RHEL .. usually between 1 and 6 months
> ahead of the current RHEL).
>
> CentOS 7 Linux is a direct rebuild of release RHEL 7 source code.
> However, neither the CentOS Project or Red Hat provide any assurance
> that CentOS has or fixes ANY security issues.  We have never tested for
> any, and we never will.  CentOS Linux 7 is just built source code that
> users decide either meets or does not meet their requirements.
>
> We announce CentOS 7 Linux updates here:
> https://lists.centos.org/pipermail/centos-announce/
>
> That lists our shasums .. and a link to what Red Hat said the update was
> for .. BUT .. the CentOS Project does not do any validations or make any
> claims about the software other than we built and released the packages.
> We also make it easier for users to look at what the update is said to
> have fixed. But, it is the user's responsibility to test anything they
> want to test prior to use.
>
> As to any assumptions to whether or not the same version of a RHEL and
> CentOS Linux package is the same .. we make no claims on that either.
> The were built, in a different closed build system, from the same source
> code.  The build systems are completely different .. so the packages are
> never identical.  Only an individual user can determine if this is good
> enough for them to use.  Only they can determine the risk they are
> willing to accept for testing they require for assurance WRT security.
> The purpose of all the testing that RHEL does and the software assurance
> they provide (for a cost) is why RHEL exists.  That is the only Red Hat
> distribution that exists that has this assurance.
> _______________________________________________
> CentOS-devel mailing list
> CentOS-devel at centos.org
> https://lists.centos.org/mailman/listinfo/centos-devel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20210409/8eb5bd3c/attachment-0003.html>