nate wrote: > Akemi Yagi wrote: > >> We can't be the only ones still using C4 i386. Some of the outstanding >> security updates are rated critical; maybe people just don't realize >> how many unpatched vulnerabilities there are at this point. > > I run C4 i386, though my systems are on trusted networks whose > only services are provided by 3rd party packages(mostly java/tomcat) > and my CentOS 4.6 machines are the least of my worries when it comes > to updates(hello RHEL 3 update 3!) > > When we get audited later this year I will try to push us onto RHEL, > should be easier to justify at that point. > > nate > I think the point is that there must be something very wrong/broken if a) security updates are missing for over a month, and b) people don't even like to ask for fear of offending someone, and c) no one really talks about it. One of the projects stated goals has always been to release updates within 72 hours, and often within 24 hours from upstream release. This isn't about missing that target by a day or two, but rather that security updates are completely missed altogether until someone notices and says something at which point they normally appear 24 hours later. It looks more like the process is broken to me, but as we have no idea what the process actually is it's impossible to tell.