On Sat, Jun 24, 2023 at 3:05 PM Michael Catanzaro <mcatanzaro(a)redhat.com> wrote:
But in practice, we actually currently have a lot of desynced
packages
where RHEL is ahead of CentOS Stream for various reasons. I believe
most such cases are mistakes that need to be corrected, not intentional
delays. E.g. if a particular developer just forgets to fix the CVE in
CentOS Stream, currently nobody is checking to catch that and complain
and get things fixed. Red Hat needs to catch and fix these issues
proactively, but is not currently doing so. Since only Red Hat is able
to commit to CentOS Stream, the community is limited to tracking
desyncs and complaining when it happens. (That would be really valuable
to do IMO.)
Most of the time, as you say, things work well (at
least in my experience).
If one does find a security update that did not get
streamed, is there a way for a non-customer[0] to
open an appropriate ticket both now, and in the
future when RH moves their internal bug tracker
to jira[1]?
[0] There are those that have used the clones
and streams for some time without having to
sign up with RH.
[1] It is not clear to me if one will need a formal
support contract in order to open tickets into
the future jira instances.