On 03/02/2016 05:24 AM, Anthony K wrote: > On Tue, 2016-03-01 at 21:58 -0600, Johnny Hughes wrote: >> On 03/01/2016 09:41 PM, Johnny Hughes wrote: >>> BUt the security plugins do not work for CentOS and they never have, >>> Peter is correct, you need to run yum update or call out the specific >>> packages you want updated. >>> > > I totally understand the necessity of a full system update. However, this begs > the question "Why code an option into yum that is of no use?" Was there a time > when this option was functional? If yes, what caused its removal? Was it a > system compromise at some big corporation and someone got sued/fired? What? > Don't spare any gory details either! > > > ak. It would require 2 things that we currently don't do. 1. Host all the RPMs every built in one place that every update can hit. 2. An errata.xml file that contains information that is NOT open source and not allowed to be gathered by CentOS. (Although James Hogarth provided a link to one elsewhere in this thread) First for #1: We utilize several hundred servers and free bandwidth that they provide that are donated to the CentOS Project to distribute updates. This 'donated network' makes up the DNS names mirror.centos.org, msync.centos.org, and cloud.centos.org, etc. We use this network to distribute CentOS Linux to more than 630 servers (external mirrors) in 85 countries all over the world. We could not provide CentOS for free for the last 13 years if we did not have both the hundreds of donated machines that make up mirror.centos.org (and msync.centos.org) OR those external mirrors. The vast majority of our donated mirror network servers do not have room to host all the RPMs from all active centos versions in one place and to distribute them to the vast external server network. We can't afford to replace the hundreds of donated (free) servers with ones that CAN host that amount of data AND also pay for enough bandwidth to distribute it to the external mirrors. Even if we could, not all the current 635 mirrors would be able to take all that data. This is one of many reasons why there is a subscription price for RHEL. Even if we DID all of that. Other than returning a cou0ple of updates with the yum security plugin command, you STILL need to run 'yum update' to get all the updates as JUST doing the security ones is not supported / does not necessarily fix the security issues. Then there is #2: The information that goes INTO the XML file we would need to generate does not come from the source code from Red Hat Enterprise Linux that we use to build CentOS Linux. It would only from screen scraping places like: https://rhn.redhat.com/errata/rhel-server-7-errata.html BUT, if you go to the 'terms of use' for Red Hat portals .. here: https://access.redhat.com/help/terms/ You will see the definition of "Red Hat Content". While we CAN distribute the software we build (it is open source) .. we *CAN NOT* scrape and/or Distribute content that is *NOT* open source but us copyrighted intellectual property. To the best of our knowledge, the information needed to make up all the information needed to create the Errata XML file requires to make the yum security plugin work is not available in a complete open source way where we would be able to be distributed. That is *WHY* the CentOS team does not copy and distribute any content into our announcements, but only links to open content in our announcements. So, we can not distribute the information that is required in the XML file that would make the yum security plugin work .. *BUT* even if we could, you *STILL* need to run 'yum update' to get all the updates as JUST doing the security ones is not supported / does not necessarily fix the security issues. Hopefully this makes sense. You can instead just look at this: https://lists.centos.org/pipermail/centos-announce/ (or subscribe to the CentOS announce mailing list to get emails) Both of those places will tell you when there is a security update. OR, you can subscribe to RHEL and use the information in the yum security plugin. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20160302/5f234030/attachment-0004.sig>