[CentOS] The delays on CentOS 5.6 are causing EPEL incompatibilities

Wed Mar 23 06:29:05 UTC 2011
Sam Trenholme <strenholme.usenet at gmail.com>

> Not that it matters, but the last time I checked, SL had not released
> their 4.9 or 5.6 releases either.

On the other hand, unlike CentOS, Scientific Linux (SL) is backporting
5.6 security fixes.  Indeed, all of the security issues CentOS 5.5 has
right now aren't in SL.

> SL is a fine product and people can use it if they want, but lets not
> pretend that they are releasing every point release before CentOS.

They haven't.  Indeed, before 2009 they significantly lagged behind
CentOS.  However, for the last two years, every SL release has been on
before the CentOS release, or within two weeks of the CentOS release.

[Left column CentOS release date, right column SL release date.

> 4.8     08/22/09        07/21/09
> 4.9     03/02/11

For 4.9, I say "not applicable"; SL is current with security fixes,
and, as I understand it, 4.9 is just 4.8 + security fixes.  Indeed,
CentOS isn't mastering iso images for 4.9.

> 5.3     04/01/09        03/19/09

Within two weeks.

> 5.4     10/21/09        11/05/09

SL was two weeks after the CentOS release.

> 5.5     05/15/10        05/19/10

CentOS won--by all of four days.

> Don't get me wrong, SL is a good build and I highly recommend it ... but
> they do not beat CentOS on releases by months as seems to be insinuated
> here in the last couple of weeks.

SL is tied with CentOS for all 2009, 2010, and 2011 releases.  What
tips the scales in SL's favor is that they have a solid policy in
place to have timely security updates:

https://www.scientificlinux.org/documentation/faq/errata

And, yes, I am repeating myself, but all 5.6 security updates are
available for SL 5.5 users until they can master some SL 5.6 ISO
images.  This has been SL's policy for over a couple of years:

http://ever-increasing-entropy.blogspot.com/2009/08/perfect-illustration-of-why-i-now.html

I blogged about why I am in the process of making the switch to SL here:

http://set.tj/+kcsa

http://samiam.org/blog/20110319.html

---

As an open-source developer, I understand the frustration of working
hard and having a lot of freeloaders not appreciating my work.  I feel
people posting here talking about how unprofessional CentOS is acting
are completely missing the point: CentOS is acting unprofessional
because, well, they aren't being paid.  Being professional means that
money is changing hands.

A person does not get treated like a customer unless they are paying
customer.  Just as most restaurants don't allow people to sit at their
tables unless they order something, open source developers have no
obligation whatsoever to their users unless said users appropriately
compensate them for their time.

CentOS has no obligation to ever make another security patch again.
They have no obligation to release 5.6, 6.0, or any other release of
their software.  Quite frankly, I think Karanbir Singh would be in his
right to say "Listen, I need to spend more time with my family and can
not continue working on CentOS unless I get paid for my time".

Yeah, a lot of freeloaders would flame him for asking for money (look
at the flame fest the Nexuiz developers got when they commercialized
their open-source game), but this is a perfectly healthy boundary for
an open-source developer to establish.

Some developers don't like announcing boundaries like that; a lot of
open source projects never formally die.  They have this way of
becoming inactive without any formal announcements and just
floundering.  I've seen this tape played many times before:

http://maradns.blogspot.com/2009/09/rant-putting-closure-on-project.html

Another example is djbdns, which is over ten years old; the last
formal release of djbdns has three known security holes:

http://set.tj/+kcvb

http://samiam.org/blog/20110103.html

- Sam