[CentOS-devel] re CVE errata in CentOS Stream

Fri Feb 26 18:57:00 UTC 2021
redbaronbrowser <redbaronbrowser at protonmail.com>

On Friday, February 26, 2021 8:33 AM, Johnny Hughes <johnny at centos.org> wrote:

> I get it, people want what they had. Hell, I want it too. If / When
> the other downstream RHEL source code builds happen, use them if that is
> what you want. None of that requires bashing CentOS. CentOS is not
> bashing any of those distros.

Ok.  But why is that what you want too?

Why isn't KW's blog post enough to consider Stream a win-win?

There seems to be belief that CentOS being a downstream will provide better QA than CentOS as an upstream.

I think KW was right that with a community drive of CD/CI that being an Upstream will be a win-win.

I see two reasons why on the CentOS 8 termination date why adoption of Stream 8 might be poor.

First is it sounds like Stream 8 will already be a de-focused project by that date.  It isn't clear my request for a breakdown on the Stream 8 kernel patches will ever be honored.  I see going from CentOS 8 to Stream 9 as much more jarring then transitioning to Stream 8.  The project should be putting it's best foot forward on Stream 8 first and then focusing on 9.

Second is the timing of getting CD/CI to a mature state.

Some of the CD/CI test I see needed are complex and I can't find any current public example code of how to perform.  If there is a CVE which causes a denial of service, what is the establish procedure of testing if the problem still exists?  Is there any existing CD/CI tests that are performed in a VM with external monitoring to see if the test passes or fails (if the VM becomes unresponsive)?

If I am able to get a complex test that a current C8S package fails in April, how soon should we expect a fix and rebuild of the package?  What if the fix reveals more tests are needed that it then also fails?

Is there any point in which a potential Stream adopter starts a 90 day evaluation of Stream in October while there are packages that are failing CD/CI tests because the packages haven't been rebuilt yet?

What was the basis for the determination Jan 1, 2022 is the best date to promote Stream focus/adoption?

Rich Bowen has pointed out multiple times the community through it's contributions gets a say in the success or failure of Stream.  I believe to some extent that is true.  But at the same time, we have already been vetoed on deciding when we are in a ready state.  There is no attempt to seek community consensus on the target date.

If we just drive people to other RHEL clones then we have lost building a focus with those people around Stream.  Isn't that enough reason to lay out a set of prerequisites for a "when Stream is ready" criteria before shutting down CentOS 8?