[CentOS] why no recent bind update for CentOS 6?

Thu Jul 30 13:38:36 UTC 2015
Phelps, Matthew <mphelps at cfa.harvard.edu>

On Thu, Jul 30, 2015 at 5:37 AM, Johnny Hughes <johnny at centos.org> wrote:

> On 07/29/2015 07:27 PM, Nathan Duehr wrote:
> >>
> >> On Jul 29, 2015, at 18:20, Nathan Duehr <denverpilot at me.com> wrote:
> >>
> >>> On Jul 28, 2015, at 18:48, Peter <peter at pajamian.dhs.org> wrote:
> >>>
> >>> On 07/29/2015 11:51 AM, Noam Bernstein wrote:
> >>>> Hi CentOS developers - I’ve been happily using CentOS for several
> >>>> years now, so thanks for all the good work.  In the last week,
> >>>> however, I noticed that while the items in RHSA-2015:1443 has shown
> >>>> up as updates (and announced on centos-announce), the analogous
> >>>> update for CentOS 6, RHSA-2015:1471 (according to
> >>>> https://access.redhat.com/security/cve/CVE-2015-4620), doesn’t seem
> >>>> to be there.  Is there any reason why those of us using CentOS 6 are
> >>>> left behind, and/or any idea when a CentOS 6 bind update will be
> >>>> available?
> >>>
> >>> It's currently in the CentOS CR repository and will be released when
> >>> CentOS 6.7 drops soon.  If you want it now then just enable cr and
> >>> you'll get it with yum update:
> >>> http://wiki.centos.org/AdditionalResources/Repositories/CR
> >>
> >> Why didn’t it just go into CentOS 6.6 like a dozen other packages this
> week?
> >
> > Disregard, I guess for whatever reason when a new dot-release is going
> on, things go into CR, but otherwise they go into the dot-release.  Or so I
> just read in the notes about the current repo state.
> >
> > Yay, another goofy annoying thing to remember and another thing to go
> add to ansible code to deploy and undeploy this goofy CR repo, just to
> check machines properly for security updates.
> >
> > Not that I don’t love ya, volunteers, but I really hate waiting on
> security updates while they bounce through CR… that doesn’t make any sense
> at all.  Bug fixes, sure… security, no.
> >
>
> Of course it makes sense.  Those security updates are not released in a
> vacuum, and all the things they are built on/against also need to be
> released and installed for them to work.
>
> The source code for the ssecurity updates you are talking about are
> built against RHEL-6.7, not 6.6 by Red Hat.  They don't necessarily work
> on 6.6 without the other updates installed.  They also will not
> necessarily work correctly if built against 6.6 and then used later on
> 6.7.  We don't do this because it is fun.  In fact, it is exact opposite
> of fun, it is quite a PITA.  We do it because in order to run the
> updates (and have them work correctly), you also have to be running the
> rest of 6.7.
>
> We are providing CR .. SO .. you can get all the updates if you want
> them early .. WHILE .. we also test and release 6.7.  It is double the
> work.
>
> Because we do CR, CentOS users had access to the 6.7 updates a full 3
> days before anyone else made them available and CR was released less
> than 5 days after the release of RHEL 6.7.
>
> Thanks,
> Johnny Hughes
>
>
OK, sorry to bring this up again, but why then is CentOS doing "rolling
updates" for CentOS 7 with different version numbers/base builds from
RedHat?

Based on what you said here, the CentOS 7 strategy doesn't make any sense
to me.


-- 
Matt Phelps
System Administrator, Computation Facility
Harvard - Smithsonian Center for Astrophysics
mphelps at cfa.harvard.edu, http://www.cfa.harvard.edu