On Sat, Jun 24, 2023 at 3:05 PM Michael Catanzaro mcatanzaro@redhat.com wrote:
But in practice, we actually currently have a lot of desynced packages where RHEL is ahead of CentOS Stream for various reasons. I believe most such cases are mistakes that need to be corrected, not intentional delays. E.g. if a particular developer just forgets to fix the CVE in CentOS Stream, currently nobody is checking to catch that and complain and get things fixed. Red Hat needs to catch and fix these issues proactively, but is not currently doing so. Since only Red Hat is able to commit to CentOS Stream, the community is limited to tracking desyncs and complaining when it happens. (That would be really valuable to do IMO.)
Most of the time, as you say, things work well (at least in my experience).
If one does find a security update that did not get streamed, is there a way for a non-customer[0] to open an appropriate ticket both now, and in the future when RH moves their internal bug tracker to jira[1]?
[0] There are those that have used the clones and streams for some time without having to sign up with RH.
[1] It is not clear to me if one will need a formal support contract in order to open tickets into the future jira instances.