[CentOS] CentOS Security Advisories OVAL feed??

Wed Aug 5 06:05:39 UTC 2020
centos at niob.at <centos at niob.at>

On 04/08/2020 23:50, Jon Pruente wrote:
> On Tue, Aug 4, 2020 at 11:34 AM <centos at niob.at> wrote:
>> Q5) If the answer to the last question is "no": shouldn't there be such
>> a resource?
> CentOS doesn't publish security errata. If you need it then you should
> either buy RHEL, or deal with putting together your own set up with
> something like http://cefs.steve-meier.de/

I expected just this answer, and we do have a RHEL subscription (and 
BTW: thanks for the link). But you missed the main point by omitting the 
other questions (especially Q1, Q2 and Q3): There are upstream package 
versions that were never rebuilt for CentOS.

For instance: If, for whatever reason, I am required to stay with nginx 
1.14.1 then the missing rebuild of the packages mentioned in 
RHSA-2019:2799 (https://access.redhat.com/errata/RHSA-2019:2799) would 
leave me with a vulnerable system.

The question for an OVAL feed is actually an add-on question: In the 
same spirit that is the base for the CentOS project itself: wouldn't 
such a feed be a good thing to have? Otherwise your answer could be the 
catch-all answer to all questions CentOS: Go get a commercial 
subscription. Personally, I think such an answer is not very helpful.

So what do you think about the underlying issue? Under what 
argumentation does it NOT constitute to be an issue?