[CentOS] yum-plugin-security

Sun Nov 23 00:54:49 UTC 2014

On Sat, 22 Nov 2014 17:10:40 -0600
"John R. Dennison" <jrd at gerdesas.com> wrote:

> On Sat, Nov 22, 2014 at 11:41:17PM +0100, Gabriele Pohl wrote:
> > 
> > I don't like to spend time in creating ugly workarounds..
> > and therefore would highly appreciate if the CentOS-Developers
> > will add the data to the yum repositories.
> > Then I can use Munin to monitor the pending security packages
> > also for CentOS as now only for my RHEL machines.
> 
> It's not that simple.  Please have a look at the list archives in the
> past couple months where this was addressed.  The threads were either
> here or on the centos-devel mailing list.

thanks to Nux! who posted the following link in
the first reply of this thread:

----------------------------
Begin forwarded message:

Date: Sat, 22 Nov 2014 12:44:57 +0000 (GMT)
From: Nux! <nux at li.nux.ro>
To: CentOS mailing list <centos at centos.org>
Subject: Re: [CentOS] yum-plugin-security

This plugin does not work on CentOS, at least not yet, there were previous discussions. e.g.
http://centos-devel.1051824.n5.nabble.com/CentOS-devel-yum-plugin-security-and-shellshock-td5710031.html
----------------------------

I read this thread and also another, which is refered to therein:
http://lists.centos.org/pipermail/centos-devel/2014-September/011893.html

> If memory serves the primary factor that is holding this up is a space
> requirements issue; the threads can shed more light on it, however.

To tell the truth, as a person who is not familiar with the 
internal structures and procedures of tree building and 
maintenance of the repositories, I don't really understand 
why it should be so difficult to handle a "security-update" flag 
for the update packages, but I have to believe the experts, 
who make statements on this topic.

Here is what I picked up when reading the thread from devel list:

1. For a valid approach data for all packages over 
the complete history of the major version is needed.

2. At the time the data is only sent to the announce mailing list
and it will need a big effort with also manual work to 
collect all the data back from there.

3. "it would add significantly to the size required to
mirror CentOS and require a redesign of how we do trees completely (we
currently only push the latest tree for each live major version)." (Johnny Hughes)

4. The developers fear that the yum-plugin-security functions
may seduce people to only install the security relevant packages,
which can cause problems.

5. The tools used by scientific linux repo maintainers,
who support a security classification,  
are availabe under free software license.
https://cdcvs.fnal.gov/redmine/projects/python-updateinfo

My personal view is represented by the mails of Kevin Stange in this thread.
And I still hope that the issue will be solved by 
integrating the "security update" flag into the
CentOS repositories in the future.

so far and thanks for your replies to all contributors in this thread,

Gabriele