[CentOS-devel] Documenting the CentOS Linux 8 EOL process

Fri Jul 16 09:42:07 UTC 2021
Alex Iribarren <alex.m.lists3 at gmail.com>

Hello,

(sorry diverging from the OT)

On 7/16/21 9:43 AM, Neal Gompa wrote:
>> It's one of the dangers of the "streaming" model, when unanticipated
>> dependencies are discovered in the field.  It's why I expect people to
>> use rsync or reposync tools to generate internal mirrors with locked
>> snapshots, which they used to do with CentOS point releases.
> 
> You mean like how people *already* did it because they thought regular
> CentOS updates were "too dangerous"? Frankly, I don't buy what you're
> selling here. To make matters worse, the previous model gave you
> *zero* opportunity to resolve issues with updates if they were buggy.
> They just stayed broken for months or years. At least now there's a
> chance of them getting fixed in a reasonable time window.


While I agree with this in theory, in practice it doesn't work out quite 
that nicely. We are currently affected by two[1][2] different issues in 
CS8 and the only way we can mitigate them somewhat is by snapshotting 
and tweaking the packages we distribute to our internal users. Sure, we 
can report the issues to Red Hat/CentOS, but then we still have to wait 
until they do their testing and decide they're ready to publish the 
fixes. This can take a really long time, and in the meantime there may 
be security fixes[3] that you *have* to publish, so you have to be able 
to keep some updates back and promote others, independently of what Red 
Hat/CentOS decides.

In fairness, the same thing happens in the "non-streaming" model, but 
just saying "but now you can contribute!" doesn't really help much in 
practice.

Anyway, sorry for the rant.

Cheers,
Alex


[1] https://bugzilla.redhat.com/show_bug.cgi?id=1966712:
     CentOS decided to upgrade to a release candidate version of mdadm
     which is unable to verify it's own checksums, so we can't install
     machines with software RAID. Fix was sent upstream, and we're stuck
     waiting until they acknowledge it. *We the community* can't push the
     fix to Stream 8, so how is our contribution useful?
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1972278
     Apparently waiting to pass Red Hat's gating, a black-box process.
     *We the community* can do nothing but wait, it will be ready when
     it's ready.
[3] CVE-2021-3560