[CentOS-devel] re CVE errata in CentOS Stream

Fri Feb 26 14:33:57 UTC 2021
Johnny Hughes <johnny at centos.org>

On 2/26/21 3:02 AM, redbaronbrowser via CentOS-devel wrote:
> On Friday, February 26, 2021 1:32 AM, Fabian Arrotin <arrfab at centos.org> wrote:
>> Now let's just take two seconds to think about it : if Red Hat would
>> really like on purposes to make Stream unstable for production use,
>> why would we even just deploy our critical build infra , used on the
>> critical path for RHEL9, on top of Stream ? Just think about it and read
>> this sentence again ;-)
> I agree with the point you are trying to make.  It is my belief that the CentOS project intends for Stream to stable for production use.
> However, Red Hat is sending a mixed message by offering free RHEL licenses to the Stream project.  The next logical step after making the offer would be for the CentOS Goverance Board to mandate a policy of using RHEL for Stream project infrastructure.  Given Red Hat policy of withholding security updates from Stream, such a mandate would make sense.
> If CentOS really will be using Stream in the long term for critical build infrastructure, it would be nice to hear from the CentOS governance board that they do not intend to change that.

No one in the CentOS Project ever said that Red Hat (the corporation)
ever wanted anyone to deploy CetnOS Linux (or CentOS Stream) anywhere in
production.  Red Hat says that RHEL is the only thing they offer that is
production ready.  What else would they say?

In reality, they are correct.  RHEL is the only production ready
enterprise offering, simply because they offer things you need in that
environment that is not offered other places.  (A Service Level
Agreement, Software Assurance, etc.)

Red Hat is also offering many more ways to get RHEL for free, as a
service to the community.  Currently the 2 programs .. more to come.

None of that has any impact on the CentOS Stream process.  For some
users, CentOS Stream will be usable for them in production .. for others
it will not be.

But from a user perspective, packages built from source code that will
become the next RHEL minor release in less than 6 months is absolutely
as "stable" and "usable" as any enterprise distribution out there
besides RHEL.  The fact that it has a 5 year lifetime and is free is as
good as any released distribution out there.

I get it, people want what they had.  Hell, I want it too.  If / When
the other downstream RHEL source code builds happen, use them if that is
what you want.  None of that requires bashing CentOS. CentOS is not
bashing any of those distros.