On Fri, Jun 23 2023 at 01:27:24 PM -0400, Josh Boyer
<jwboyer@fedoraproject.org> wrote:
> Which means equivalent fixes are in CentOS Stream and anyone wanting
> to recreate exactly what is in RHEL is welcome to backport that code
> from CentOS Stream or upstream.
Yes, but that's going to be pretty hard to do if you cannot see what
needs to be backported because you don't have a Customer Portal
subscription. :)
Yes, the work you do is not easy.
In this particular case, there are two CVEs fixed somewhere in the
middle of maybe 100 other upstream changes, and the correspondence
between CVE vs. upstream commit is intentionally not public to
discourage distros from backporting individual security fixes. (It's
not a smart idea. Only 5% of WebKit security bugs get CVEs. I sometimes
do security backports for RHEL anyway for regulatory rather than
security reasons.) Anyway, to figure out what to backport in order to
match what's in RHEL, you'd have to either somehow get access to the
RHEL SRPM, or else email me and ask what to do.
Or build up a knowledge of the code base that allows one to do it themselves.
I don't really have any strong opinion about this change. Just pointing
out that it's going to be effectively impossible to reverse-engineer
RHEL from CentOS Stream. Let's not pretend that's realistic. Rebuilders
are going to need to get copies of the RHEL SRPMs somehow if they want
to match RHEL, and they do.
I don't think it's impossible. I think it requires work, skill, and investment.