[CentOS-devel] re CVE errata in CentOS Stream

Fri Feb 26 14:23:47 UTC 2021
Patrick Riehecky <riehecky at fnal.gov>

On Fri, 2021-02-26 at 09:02 +0000, redbaronbrowser via CentOS-devel
>  Given Red Hat policy of withholding security updates from Stream

This is a fundamental misstatement of the workflow.

For EMBARGOED security errata, RHEL will be getting the fix ahead of

Stream is built in the open where anyone can see what is built, any
patches, and changelogs.  If an embargoed update is built in stream
before the announcement date, the embargo is violated.

RHEL is built in private.  They can build the embargoed update whenever
they want, stage it for release, and maintain the privacy of the CVE.

This means there is a certainty that EMBARGOED updates will get into
RHEL first. 

This gets more complex if the stream package is ahead of the RHEL
update.  If the stream and RHEL packages are identical, the source code
sync process will automatically get the update built and published.

If the stream package is ahead of the RHEL package, then the patch will
need to be ported over.  This will take some time and be done in
public.  It may take minutes or hours.

If you've a way to improve this workflow while honoring the commitments
to embargoes and build transparency, I'm certain it would be well