[CentOS] CentOS Project Infrastructure
vvmarko at gmail.com
Tue Aug 11 23:52:26 UTC 2009
On Tuesday 11 August 2009 23:25:23 Ian Murray wrote:
> I am troubled by the window of opportunity that a hacker has between RH
> releasing a point release and CentOS releasing the equivalent. Every RH
> published errata for that stream is a known weakness to your system and
> there is not a sausage you can do about it until the CentOS project
> delivers the point release. The quicker it is, the less of a problem, but
> the slower it is, the more exposed you are. CentOS have not exactly been
> knocking out the updates very quickly.
> Having asked the question on the SL list, I've been informed that they
> release interim security errata and build all dependencies. They freely
> admit that doesn't always work and somethings do get missed, especially
> immediately after RH does a point release. However, as was also pointed
> out, you have the choice to take the updates or not, so you are never worse
> off than you are with CentOS, in that respect at least.
Why don't you go with the SL or even pay RH, if you are that concerned about
hacking attempts? It seems clear that CentOS is not a good distro for you if
you are not satisfied with its update schedule. I believe it is better to make
a different choice of distro, than to ask for substantial changes in the
current one, especially if other people should do that extra work for you.
And please don't tell me that SL has other flaws. If security is your first and
most important concern, the best thing is to buy RH, it is definitely worth it.
If you cannot invest money, go with SL, they have faster updates. If things
break, well, at least you didn't get hacked. You should evaluate what is best
for your situation and go with it, not ask CentOS to be both rock-solid and
fast with updates at the same time.
More information about the CentOS