On Thu, Dec 10, 2020 at 05:25:16PM -0800, Gordon Messmer wrote: > ... snip ... > Today, CentOS is a release stage after Stage 5 described above. The CentOS > maintainers begin work on a minor release after that release is available to > RHEL consumers, and the process of rebuilding those packages is often very > time consuming. CentOS maintainers have to reverse-engineer the exact order > in which packages are built, with the exact set of installed and available > packages in the build environment in order to ensure that the resulting > package actually uses the same interfaces that RHEL???s packages do. All > packages require that ordering and build environment matching, but most > packages are published in small sets and ordering is much easier to identify > than it is when they are published in a large batch. > > As a result, security updates can???t be published for CentOS while the > maintainers are rebuilding the minor release, because the build dependencies > aren???t available yet. Those windows occur every six months, and are > typically a month or more in length. [2] > > Today, CentOS users accept the risk that for roughly two months out of the > year, their systems may have known vulnerabilities with no patch to > remediate the problem. Personally, I think that???s a huge risk that needs > to be weighed against the costs of RHEL licenses whenever CentOS is used in > production. > > The good news is that CentOS Stream looks like it won't have that problem. > CentOS Stream updates still won???t be prepared early, while vulnerability > details are embargoed, but there aren???t any windows in which CentOS Stream > can???t immediately begin work on preparing updates once the embargo ends. > That means that CentOS Stream will be as secure as CentOS is today in > between minor updates, and significantly more secure than CentOS is today > while its maintainers prepare minor releases. While I agree with your entire post, Gordon, this specific point I think is the most critical. In our environment, we already need to look to the Continuous Release repos to get critical security updates during this embargo period. I'm betting Stream will be no less well vetted than the CR repos, and likely will be better. In any case, the burden for tracking down the updates will be much less with Stream: we'll just get the packages through our normal channels, rather than going on a hunt through CVEs and Bugzilla, then temporarily enabling the CR repos for just the period of time when we need to get the updates before disabling them again. > ... snip ... -- -- Skylar Thompson (skylar2 at u.washington.edu) -- Genome Sciences Department (UW Medicine), System Administrator -- Foege Building S046, (206)-685-7354 -- Pronouns: He/Him/His