[CentOS] "yum --security" and staying with 5.0

Johnny Hughes johnny at centos.org
Mon Dec 24 13:57:25 UTC 2007


Amos Shapira wrote:
> Hello,
> 
> So I've watched a few threads about the new 5.0 vs. 5.1 upgrade and
> have a couple of (hopefully) practical questions about this:
> 
> Context - I'd like to stick to 5.0 at least for a while until the dust
> around 5.1 settles down (and I'm back from holidays).
> As an example - In Debian, as long as I stick to "stable" I can be
> sure that the only updates I receive there are for heavily tested very
> important bugs and security issues, so I should generally apply them.
> 
> 1. If I read the FAQ correctly, in order to force yum to stay with 5.0
> should I just manually edit /etc/redhat-release from:
> 
> CentOS release 5 (Final)
> 
> to:
> 
> CentOS release 5.0 (Final)
> 
> (i.e. add ".0" to the version)? If not then what should I do?
> 
> 2. I am hoping that yum-security will allow me to stick to the latest
> security updates for 5.0 without forcing me to upgrade to 5.1 until
> the dust settles down. Am I correct that this is possible with
> yum-security and the repositories provided by CentOS? Will "yum update
> --security" update packages with later versions only if those versions
> fix security issues? Are security updates maintained for 5.0? Here is
> what I get right now on one of my systems (without doing the change I
> asked about in (1)):
> 
> # yum --security list updates
> Loading "security" plugin
> Loading "installonlyn" plugin
> Setting up repositories
> base                      100% |=========================| 1.1 kB    00:00
> updates                   100% |=========================|  951 B    00:00
> addons                    100% |=========================|  951 B    00:00
> extras                    100% |=========================| 1.1 kB    00:00
> Reading repository metadata in from local files
> Limiting package lists to security relevant ones
> No packages needed, for security, 196 available
> 
> If I drop the "--security" flag I indeed get a list of196 packages to upgrade.
> 
> So to clarify my question - is my system secure (in terms of package
> versions) by sticking to "yum update --security"?
> 
> Thanks,
> 
> --Amos

I would also like to address this whole subtree (or z series) issue.

First ... The upstream guys have not offered this service yet.  When
they do, it will offer a subset of updates for some people who really
want to have only a very small subset of updates for their equipment for
18 months.

It is explained fully (at least as it has been explained to us) in this
post to the list:

http://lists.centos.org/pipermail/centos/2007-December/091189.html

Second ... Since this is not really implemented (in practice) by
upstream, it is currently vaporware.  When they implement it, then we
can see in practice what they actually do and emulate it.

Third ... What happens to the 5.1.3 people (automatically) at the "5.1.3
EOL / 5.5" point is the one major issue that I see as problematic.  I
would guess that they would move up to the 5.2.3 tree ... then on the
5.6 release (5.2.3 EOL), they would have to move up to the 5.3.3 tree
... then on 5.7 (5.3.3 EOL) to the 5.4.3 tree, etc.  What to do to those
people automatically is critical, and we will have to see what upstream
does to make our decision.

If upstream stays as conservative as they currently are between point
releases (ie, 5.0 to 5.1, 5.1 to 5.2), moving from 5.1.3 to either 5.2.3
OR 5.5.0 should be equally possible.  However, I have heard tell of
things between point release sets MAYBE becoming a bit less conservative
between the 5.1 and 5.2 branches after they get the z series stuff
implemented.  If that is the case, then moving between branches MAY
become a little bit harder.

HOWEVER, until the vaporware becomes reality and until we can actually
see what the version schemes REALLY DO (and if the changese between
branches become less conservative), this whole thread is just
speculative conjecture.  Let's see the programs in action and see what
happens at 5.1.3 EOL time, etc.

In the mean time, people who want security updates need to do what they
RHEL people did ... update.  There is no channel for the upstream people
to do only security updates right now, they run yum and they get all the
latest updates ... the same thing happens in CentOS.

Also ... the "yum --security" feature would only tell you CVE and other
security information about a package.  It does not actually perform
security only updates, it just provide security information if a package
is a security update.  As posted in other places in this thread and the
5.1 release notes, the CentOS version of yum does not have this feature.

Thanks,
Johnny Hughes

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20071224/758510d4/attachment.sig>


More information about the CentOS mailing list