[CentOS-devel] re CVE errata in CentOS Stream

Tue Mar 2 17:05:30 UTC 2021
Johnny Hughes <johnny at centos.org>

On 3/1/21 12:00 PM, redbaronbrowser via CentOS-devel wrote:
> On Monday, March 1, 2021 10:44 AM, Johnny Hughes <johnny at centos.org> wrote:
> 
>> On 3/1/21 9:44 AM, Matthew Miller wrote:
>>
>>> On Sat, Feb 27, 2021 at 01:18:46AM +0000, redbaronbrowser via CentOS-devel wrote:
>>>
>>>> CentOS now seems more receptive to greatly expanding the number of SIGs.
>>>> Hopefully this will mean critical EPEL packages will migrate under CentOS.
>>>> Once that has been done, it should be possible to get a more consistent
>>>> CD/CI across both Stream and the Stream Extended packages inherented from
>>>> EPEL.
>>>
>>> Why duplicate? I'd rather see CentOS SIGs with interest in EPEL packages
>>> actually work in EPEL.
>>
>> I would agree with this for items where you are trying to maintain the
>> same versions. no ned to duplicate work.
>>
>> If they need different versions for the SIG than are in EPEL .. maybe
>> maintain those in the SIG.
> 
> How will CD/CI work across those lines?
> 
> For example, rsyslog depends on glibc, I assume a patch applied to glibc will also result in the CD/CI tests for rsyslog also being run.  If the patch breaks rsyslog, the patch will be reviewed before release.
> 
> One of the concerns being brought up seems to be if the nature of Stream will break EPEL packages.  As far as I see it, if CD/CI testing is integrated between the two then that concern should be addressed over time as testing continue to improve.
> 
> So, take for example, syslog-ng instead of rsyslog.  Is there any method for that package to also trigger CD/CI tests for glibc changes while remaining in a repo that is technically external to Stream?
> 
> If Stream 8 could have a change which breaks EPEL 8 packages, couldn't that indicate an API/ABI break which could create larger issues if ever propigated into RHEL?
> 

So, how EPEL will test for and decide if stream packages work with
current EPEL8 packages is not something we really handle on this list ..
it is something that EPEL (managed by the Fedora Project) needs to
figure out.

Carl George (who works on CentOS Stream and is a member of the EPEL
board) probably knows what they are doing .. if he wishes to elaborate here.

> To be clear, I'm not asking if Stream 9 might break EPEL 8 packages.  I'm also not asking how quickly EPEL 9 will be available after the release of Stream 9.  I'm just asking how CD/CI testing will work across like versions (Stream/EPEL 8, Stream/EPEL 9, etc).

Another issue is if the actual EPEL repos are available in the CentOS
CI/CD system .. and if EPEL is available to build against for the CentOS
Community Build System (CBS)

Both of those issues will need to be address to prevent duplicate work
of rolling EPEL Packages into CentOS SIGs.
> _______________________________________________
> CentOS-devel mailing list
> CentOS-devel at centos.org
> https://lists.centos.org/mailman/listinfo/centos-devel
>