[CentOS] OpenSSL Update - not a security update???

Johnny Hughes johnny at centos.org
Mon Mar 7 16:34:52 UTC 2016


On 03/03/2016 02:58 PM, Mark Milhollan wrote:
> On Wed, 2 Mar 2016, Johnny Hughes wrote:
>> On 03/02/2016 10:42 AM, Mark Milhollan wrote:
> 
>>> I wish --security was functional 
> 
>>> I hope that the lack is not due to 
>>> the assumed use resulting in it being ignored.
>>
>> That is not the reason, 
> 
>> We do not have enough space on donated mirrors 
> 
> Surely the data could be tailored to provide only that which applies to 
> the current set of RPMs.  Do we know that yum will fail if RPMs are 
> cited in the file but which are not available for install?

Whose current set .. your's or the guy that hasn't done an update since
2007?

Te problem is, if we say we support the security plugin, then it has to
be able to update ANY configuration and all security updates.

Let's say that you are on 6.4 right now, there is a security update in
6.5 and 6.6, and there is a bugfix update in 6.7 (current version), you
run the security plugin and it says .. no security updates (because the
6.7 update is only a bugfix).

You are instead behind and have a security problem .. no, you have to
have all or it doesn't work, and it then causes people to think they are
OKwhen they are not.

> 
>> the data required for the xml file is not redistributable.
> 
> That does sound like it is being ignored, because you know you can't do 
> it.
> 
> As things stand.
> 
> (I think you should put all this in an/the FAQ then point people to it, 
> instead of sending large swaths of the same words yet again, which must 
> surely be frustrating.)
> 
> But the project could lobby Red Hat for access to the file, whether for 
> just CentOS (RH has done things just for CentOS before) or for the wider 
> community of rebuilders.  I can't know if this has been attempted, but 
> it has not been mentioned as having been asked.
> 

One of the things RHEL does that CentOS doesn't do (and has never done)
is verify security issues, verify fixes correct those issues and provide
assurance that they are fixed.  They is why RHEL is a paid product and
CentOS is free.

<snip>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20160307/5f5e52f0/attachment.sig>


More information about the CentOS mailing list