Am 03.07.23 um 02:00 schrieb Michael Catanzaro:
On Sun, Jul 2 2023 at 06:27:48 PM -0400, Demi Marie Obenour demiobenour@gmail.com wrote:
What about stuff that is too urgent to wait on Red Hat QA? There have been vulnerabilities (such as CVE-2013-0156 and Log4Shell) for which unauthenticated, fully automated, remote code execution exploits have been found very, _very_ quickly. There may well be times when attackers can write and use an exploit faster than Red Hat QA can process an update. For these vulnerabilities waiting on Red Hat QA is not an option.
Dire emergencies like these are extremely rare, but when they do occur, everybody needs to work together to get updates out to all users ASAP. That's true for every distro. Hypothetically speaking, if I were ever unfortunate enough to be responsible for an emergency scenario like that, I'd still want enough basic QA to at least ensure that the update won't eat your disk, but such decisions would surely be handled on a case-by-case basis.
In a more normal situation, updates take a few days to prepare. I really don't think there's any problem with how CVEs are handled in CentOS Stream *except* for the problem I mentioned earlier about maintainers forgetting to push package updates to CentOS Stream by mistake. We need a better process to ensure human error doesn't result in CentOS Stream missing security or non-security updates. (This impacts RHEL too, because future minor releases are built from CentOS Stream, and we don't want fixes to disappear in future releases.)
There is also demand between major release, some "features" are missing in EL9 for instance.