On Thu, 24 Feb 2011, Cal Webster wrote: > java-1.6.0-sun non FOSS, non-source provided, no? This is in an addon channel in RHEL, and so far as I know we have never shipped such Of the others the wireshark update is a periodic update of some edge case dissectors [these developers are quite good about releasing time based 'fixes' for their tool -- a different model than upstream, but perfectly valid], and if nominally remotely exploitable, as a practical matter, not a material threat The kerberos update crossed vendor-sec, but seems again to be an edge case hole The pgsql update is nominally exploitable, but any sensible environment uses iptables and network segment isolation rather than adding a world listening daemon I have commented earlier on my distress at the openjdk update NOT crossing vendor-sec. This said, again, who in their right mind exposes an unprotected Java listener application to the wild? I saw that another in the project mentioned 'bypassing' the 5.6 respin and testing delays for truly exploitable matter. The potential 'bind' updates dos attack vector turned out not to affect anything CentOS has shipped in base and updates, and so was a 'false positive' as prior discusseio here has noted If one wants SLA and deterministic intervals between announcement and release, it is just not that hard to set up one off building and updates from released sources upstream, and so one can have it at the price of a little learning and experimentation. Alternatively, CentOS releases promptly on the usual norm, and during 'point' update times, falls back to trying to avoid 'dependency skew' problems by considering the potential disruption for millions of machines each needing manual depsolving intervention, vs. getting the nest update build and QA's and out the door in a durable fashion. If that is not 'quick enough', see the prior paragraph about self-building; or seek a vendor who will sell you the SLA you deem you require. This is a simple 'build vs buy' decision [I might note that I have seen NO filed bug in the CentOS tracker asserting a need for any of the listed updates on an expedited basis] -- Russ herrold