On Fri, Jun 23 2023 at 01:27:24 PM -0400, Josh Boyer jwboyer@fedoraproject.org wrote:
Which means equivalent fixes are in CentOS Stream and anyone wanting to recreate exactly what is in RHEL is welcome to backport that code from CentOS Stream or upstream.
Yes, but that's going to be pretty hard to do if you cannot see what needs to be backported because you don't have a Customer Portal subscription. :)
In this particular case, there are two CVEs fixed somewhere in the middle of maybe 100 other upstream changes, and the correspondence between CVE vs. upstream commit is intentionally not public to discourage distros from backporting individual security fixes. (It's not a smart idea. Only 5% of WebKit security bugs get CVEs. I sometimes do security backports for RHEL anyway for regulatory rather than security reasons.) Anyway, to figure out what to backport in order to match what's in RHEL, you'd have to either somehow get access to the RHEL SRPM, or else email me and ask what to do.
I don't really have any strong opinion about this change. Just pointing out that it's going to be effectively impossible to reverse-engineer RHEL from CentOS Stream. Let's not pretend that's realistic. Rebuilders are going to need to get copies of the RHEL SRPMs somehow if they want to match RHEL, and they do.
Michael