[CentOS] CentOS 5 Security Updates

Thu Feb 24 20:19:57 UTC 2011
Akemi Yagi <amyagi at gmail.com>

On Thu, Feb 24, 2011 at 12:05 PM, Ian Murray <murrayie at yahoo.co.uk> wrote:

>>>  However, it was my
>> >  understanding that "Critical" security updates and those that are
>> >  "remotely exploitable" would be pushed out ahead of 5.6.
>>
>> That is my  understanding, too. However, I see that the only "Critical"
>> one on your list  is java-1.6.0-sun. This is not included in  CentOS...

> As far as I understand this is a highly untrivial task and breaks the "binary
> compatible" rule. Nevertheless, this was attempted one or two dot releases ago,
> I think as an experiment as much as anything.
>
> I am not sure how the CentOS team thought of that exercise, in hindsight. I
> would be interested in knowing. From the explanation that Russ gave, it was a
> mighty effort, as far as I remember.

Right, it is not an easy task as we see from the past experience. I
think Karanbir is trying to come up with the way CentOS can provide
critical security updates ahead of the pending major release as we can
see in his post [1] to the -devel mailing list:

"all updates to the /5/ tree are monitored and anything which has a
remote or local exploit will get pushed into the /5/ tree; things in 5.6
and against 5.6 that dont meet that criteria wait for 5.6 release. build
order, linking, inheriting upstream testing etc etc to blame."

[1] http://lists.centos.org/pipermail/centos-devel/2011-February/006916.html

Akemi