The whole issue of "support longevity" raises an issue I've been pondering, is 10-year support a good thing from a security perspective? At work we use Ubuntu LTS which has only a five year support cycle (you can pay for an extra five years) but, even with that, issues have arisen. Although they do security and bug fix updates, the package versions remain basically the same. So, if a package is on version 1.2.3, it remains 1.2.3 with bug fixes and security patches for the life of the distribution. Does Red Hat/CentOS do the same thing? The reason I ask is I ran into an issue where OpenVPN was updated in a later release to support a more robust security architecture which wasn't available until I upgraded. A configuration change could have addressed a security weakness in the older version so that the issue wasn't one of a security patch. However, the change required a lot of effort to implement. Now I'm wondering about packages in general. ________________________________ From: CentOS <centos-bounces at centos.org> on behalf of Lamar Owen <lowen at pari.edu> Sent: Monday, December 14, 2020 10:57 AM To: CentOS mailing list <centos at centos.org> Subject: [EXTERNAL] Re: [CentOS] CentOS 8 future CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Harriscomputer Leroy Tennison Network Information/Cyber Security Specialist E: leroy at datavoiceint.com P: [cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG] 2220 Bush Dr McKinney, Texas 75070 www.datavoiceint.com<http://www..com> This message has been sent on behalf of a company that is part of the Harris Operating Group of Constellation Software Inc. If you prefer not to be contacted by Harris Operating Group please notify us<http://subscribe.harriscomputer.com/>. This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message. On 12/12/20 10:34 PM, Konstantin Boyandin via CentOS wrote: > My only concern ATM is whether RH can change its CentOS 7 maintenance > plans as well, all of a sudden. This is what bothers me, too, but in a slightly different way. Even for the GPL software, Red Hat actually doesn't have to provide public access to the source code; the only thing required by GPL is that those who receive binaries must be able to get sources. So, even though it has been said that the source will be available, well, it was also said that C8 would be supported to 2029. There are enough packages in RHEL with non-GPL licenses where it would be very difficult to rebuild the whole distribution without them, and RH is not required by those licenses (MIT, BSD, and others) to redistribute those modified sources even to people who have been distributed binaries. So, while I want to believe that the sources will remain available, that belief relies on trust, which unfortunately is less abundant these days. So while using another rebuild seems to be a good stopgap solution, I do wonder if it will prove to be sustainable post-2021. I'm personally looking at which of the four (that we know about) to possibly go to; I just really doubt I am going to use Oracle; Rocky isn't really there yet and is very young; Springdale is available, mature, and academically supported (nothing wrong with that, just a statement); CloudLinux OS Project Lenix isn't yet released. Out of the bunch, Springdale would be my first choice right now because it's been around a very long time and is available now. C8 is supposed to be around until end of 2021, so there is some time for the dust to settle and the way to become more clear, though. But CentOS 8 Stream is only an option for me if the hardware driver KABI synchronization issue is solved and stays solved. RHEL? Under the current subscription models we just can't afford it. (Cost also keeps SLES out of the running.) But I'm now seriously considering just simply going to something that is both older than Red Hat, fully and totally open, extremely well-supported by a diverse developer community, and used by a whole lot of people. Yes, that's Debian; until I realized where the name came from (Deb and Ian) it read to me like a play on 'deviant.' The 'stable' period is shorter, for sure. The tradeoffs are pretty simple: guaranteed openness versus less change for ten years. So, let's look at that last piece. CentOS 6's support just ended; what have the last nine years and three months of actual C6 support looked like? I supported several C6 machines, and there were distinct challenges early on, at least for the first four years or so. Since then, on the server, it's been very stable, but really old; key pieces of infrastructure software we use slowly became unusable on C6 due to the old versions of specific packages, and either a third-party repo with newer packages or a newer CentOS was needed. Third-party repos have improved over the years, but some of the earlier C6 machines I installed had packages from Linuxtech, Dag, ATrpms, City-Fan (one particular DVD burner that just had to have the non-wodim cdrtools for some reason; yes, I know all the warnings about that repo), and others. Having EPEL and Dag both package a few things that I needed, but package them differently, introduced me to package pinning and repo priorities.... I don't miss those days. Seriously stable in the core repos means very little when you need much less stable third-party repos to get actual work done. That's also why Fedora isn't really an option, just too much package churn; been there, done that, a few years ago. So I've started re-evaluating just why I use CentOS anyway; the answer really boils down to the fact that I started out with Red Hat Linux in 1997 (I live in North Carolina, and I've always liked supporting local companies) and I just really don't want to change; it feels like I've wasted so much effort if I change now (that was the reason I stuck with it through the Fedora-RHEL split years ago, too, and went with a RHEL rebuild, first WBEL then CentOS). But the reality is not nearly so stark; a vast majority of the information and skills I've picked up in these years are portable to other distributions; so it's not wasted effort. Well, other than RPM packaging skills; those are a bit less portable. Whenever I've built from source I've tried to either build my own RPM for it or rebuild the Fedora RPM for it, and so I have a local repo of those packages, making reinstall much easier. So it becomes a tossup: small change to another rebuild now, possibility of major change later, or bite the bullet and go ahead and get the major change over with and only have small changes later. _______________________________________________ CentOS mailing list CentOS at centos.org https://lists.centos.org/mailman/listinfo/centos