Thanks for this info, this is very helpful for us. I'm gaining that any matching between CentOS packages and RHEL packages will be a "best guess" effort at best. This is good information, and is what I sought out to gather. Appreciate your response. On Fri, Apr 9, 2021 at 11:54 AM Johnny Hughes <johnny at centos.org> wrote: > On 4/9/21 10:27 AM, Louis DeLosSantos wrote: > > Hello, > > > > My name is Louis and I'm the core maintainer of Clar: > > https://github.com/quay/clair <https://github.com/quay/clair> > > > > Clair is a project for scanning containers for vulnerabilities. > > > > We'd like to support CentOS but we need a little help in the form of > > information gathering. > > > > For Clair to properly support a distribution we typically require it to > > have an official upstream vulnerability database. For example, RHEL has > > their own Oval 2 feeds as does > > Ubuntu, Suse, etc... > > > > What we are trying to determine is how we can extract packages from > > CentOS containers and match against known vulnerabilities. > > > > We have the first half worked out already, we have generic RPM database > > scanners which extract package names and versions. > > > > The second half is where we need some more information. > > > > A few questions: > > * Does CentOS maintain its own security database for packages in its > > downstream repositories ? > > * If not, can we reliably treat any CentOS packages (name, versions) > > identical to the way we treat RHEL packages. (For instance if we find > > package A with version B can we attempt to match this against RHEL's > > Oval v2 stream?) > > * Can you provide any information on package naming, versioning, and > > packaging that creates a difference between RHEL packages and CentOS? > > > > Thank you for your time, I look forward to hearing back. > > > > CentOS 8 Linux is going EOL in 7 months .. I would not recommend doing > anything for that WRT security info. > > CentOS 8 Stream will not have the exact versions from RHEL .. it will be > slightly ahead of released RHEL (it will the the source code which will > become the NEXT point release of RHEL .. usually between 1 and 6 months > ahead of the current RHEL). > > CentOS 7 Linux is a direct rebuild of release RHEL 7 source code. > However, neither the CentOS Project or Red Hat provide any assurance > that CentOS has or fixes ANY security issues. We have never tested for > any, and we never will. CentOS Linux 7 is just built source code that > users decide either meets or does not meet their requirements. > > We announce CentOS 7 Linux updates here: > https://lists.centos.org/pipermail/centos-announce/ > > That lists our shasums .. and a link to what Red Hat said the update was > for .. BUT .. the CentOS Project does not do any validations or make any > claims about the software other than we built and released the packages. > We also make it easier for users to look at what the update is said to > have fixed. But, it is the user's responsibility to test anything they > want to test prior to use. > > As to any assumptions to whether or not the same version of a RHEL and > CentOS Linux package is the same .. we make no claims on that either. > The were built, in a different closed build system, from the same source > code. The build systems are completely different .. so the packages are > never identical. Only an individual user can determine if this is good > enough for them to use. Only they can determine the risk they are > willing to accept for testing they require for assurance WRT security. > The purpose of all the testing that RHEL does and the software assurance > they provide (for a cost) is why RHEL exists. That is the only Red Hat > distribution that exists that has this assurance. > _______________________________________________ > CentOS-devel mailing list > CentOS-devel at centos.org > https://lists.centos.org/mailman/listinfo/centos-devel > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20210409/8eb5bd3c/attachment-0005.html>