[CentOS] More questions about patch management

Tue Jan 31 09:45:46 UTC 2006
Plant, Dean <dean.plant at roke.co.uk>

Johnny Hughes wrote:
> On Mon, 2006-01-30 at 20:56 -0600, Steve Bergman wrote:
>> My original understanding was that only security patches get issued
>> between quarterly  releases.  But that then the distro gets updated
>> with bug fixes 2 to 4 times per year.
>> 
>> I may be getting this all wrong, but I get the impression that there
>> are 3-4 month periods of quiescence punctuated by short periods (or
>> a day?) of significantly more intensive patching.
>> 
>> Is that correct?
>> 
> 
> That is generally correct ... the upstream provider generally releases
> security patches between the update set releases.  They generally
> release bugfix and enhancement updates during an update set (or as we
> call it a point release).
> 
> They also generally release an update set at 3-4 month intervals.
> 
> The update sets contain both security, bufix, and enchantment updates
> though ... and normally many of the new enhancement and bugfix updates
> are required as dependencies for the security updates.
> 
> All of these things are general though ... to see exactly what updates
> were released and when, look here (for the upstream EL4 product):
> 
> You can see every update and the date it was released ... you can also
> see the update set dates of:
> 
> Release =  2005-02-14
> 
> update1 =  2005-06-09
> 
> update2 =  2005-10-05
> 
> (this is about 4 months between release sets)
> 
> You can also see that there were:
> 
> 27 day zero updates on 02-15-2005, 3 bugfix updates between release
> update1, 3 security updates as part of update1, 0 bugfix updates
> between update1 and update2, 11 security updates as part of update2, 5
> bugfix/enhancement updates between update2 and now.
> 
> We at CentOS release the updates that are released upstream ... when
> they are released upstream ... we do so regardless of whether they are
> bugfix or security or enhancement updates ... because, they were
> released when they were for a reason :)
> 
> Some other rebuild distros ONLY release security updates between
> update sets ... others release hardly any updates at all.  We
> personally think the the upstream provider is the absolute best
> enterprise distro in the world, and that they are smart enough to
> release the updates that they want when they want them released,
> therefore, we release the same packages too.

I found this interesting, an interview of the Red Hat CIO suggests there
may be a change in the way Red Hat rolls its updates.

From
http://cio.co.nz/cio.nsf/UNID/0358EF0F3EFF0584CC2570AA0073523A?OpenDocum
ent Johnny posted this in another thread.

"One customer told me that it's difficult to meet the SAS-70 auditing
requirements, because Red Hat releases security updates and general
patches together. Is your company addressing this?

It's true that when quarterly updates come out, security is done only
for that update. So customers have to move to that update with us if
they want to stay secure. What we're looking at now - and this wasn't
necessitated until recently, now that we have over 1 million
subscriptions out and 36,000 new customers in each of the last two
quarters - is offering longer support for back releases. So some
customers could stay on an old update release an still get the security
patches."

Dean