On 04/08/2020 23:50, Jon Pruente wrote: > On Tue, Aug 4, 2020 at 11:34 AM <centos at niob.at> wrote: > >> Q5) If the answer to the last question is "no": shouldn't there be such >> a resource? >> > CentOS doesn't publish security errata. If you need it then you should > either buy RHEL, or deal with putting together your own set up with > something like http://cefs.steve-meier.de/ I expected just this answer, and we do have a RHEL subscription (and BTW: thanks for the link). But you missed the main point by omitting the other questions (especially Q1, Q2 and Q3): There are upstream package versions that were never rebuilt for CentOS. For instance: If, for whatever reason, I am required to stay with nginx 1.14.1 then the missing rebuild of the packages mentioned in RHSA-2019:2799 (https://access.redhat.com/errata/RHSA-2019:2799) would leave me with a vulnerable system. The question for an OVAL feed is actually an add-on question: In the same spirit that is the base for the CentOS project itself: wouldn't such a feed be a good thing to have? Otherwise your answer could be the catch-all answer to all questions CentOS: Go get a commercial subscription. Personally, I think such an answer is not very helpful. So what do you think about the underlying issue? Under what argumentation does it NOT constitute to be an issue? peter