[CentOS-devel] re CVE errata in CentOS Stream

On Wednesday, February 17, 2021 9:01 PM, Mike McGrath <mmcgrath at redhat.com> wrote:

> On Wed, Feb 17, 2021 at 8:09 PM Naoto Kobayashi <naoto.kobayashi4c at gmail.com> wrote:
>
> > Dear community,
> >
> > I would like to ask a following question:
> >
> > - How are CVEs handled in CentOS Stream? The answer in faq
> >   page (https://centos.org/distro-faq) states that security
> >   issues will be updated in CentOS Stream after they are solved
> >   in the current RHEL release. However, CentOS Steam 8 solved
> >   CVE-2020-15437 (kernel) while RHEL 8 has not (as of February 17,2021).
> >   Does the order of security updates between RHEL and CentOS Stream
> >   depend on the situation?
>
> There's a bit of nuance to this question in that policy states that CVEs should be fixed in RHEL before CentOS Stream.  However, there are a couple of practical problems this introduces that we work around by shipping in CentOS Stream first.  For example, we may do a rebase that contains a CVE fix.  Everyone universally agrees we don't want Red Hat engineering CVE vulnerabilities back into CentOS Stream that may have been fixed by a rebase.  In this scenario, a CVE fix may go out in Stream before a RHEL release.
>
> There are also some scenarios around lower and moderate CVEs where we run into practical issues maintaining a "RHEL" patchset and a "CentOS Stream" patchset.  In that scenario a CVE might get fixed in CentOS Stream first.

Is that policy still what is best for Red Hat in the long term.

Staf Walter wrote on the CentOS blog that: "Back in July, a RHEL (and CentOS) fix for the 'boot hole' vulnerabilities ended up being far worse than the CVE itself: it caused many systems not to boot."

It seems to be implied even after Stream gets fully going that Red Hat will continue to induce CVE patch related regressions (such as "Boot Hole") on RHEL users first.

Is there the assumption that Stream CD/CI testing contributors will also be at least running some RHEL instances in addition to Stream since RHEL has 16 "free" licenses?

How long of a delay should we expect between the time CVE changes are applied to RHEL til the point they are available to Stream?  For purposes of CD/CI it would be nice to have access to the regression as soon as possible to confirm new test code is able to confirm a regression.