On Jun 24, 2023, at 8:05 AM, Michael Catanzaro mcatanzaro@redhat.com wrote:
On Sat, Jun 24 2023 at 08:53:32 AM -0500, Chris Adams linux@cmadams.net wrote:
Is it? At one point, there were considerable gaps in security updates;
RHEL 9.x would get an update while CentOS Stream 9 (as the target for RHEL 9.[x+1]) didn't get a corresponding update for quite a while. If Stream doesn't get security updates in a timely fashion, it is not at all suitable for production use.
So here is the reality with security updates. The vast majority of security updates are shipped in RHEL 3-9 months after we fix them, because minimizing the quantity of updates is an important goal in RHEL to reduce update churn for customers, so we only want to release quick fixes for issues that pose serious risk. (Most security issues are just not very urgent.) This means you get most security fixes drastically sooner in CentOS Stream than you would in RHEL. However, higher-severity security updates do get fixed in RHEL first. Developers are not permitted to fix higher-severity security issues in CentOS Stream until after the fix is shipped in at least one RHEL update. We're encouraged to do so immediately after the fix ships in RHEL, so there *should* only be a minor delay of, say, one or two business days for the developer to notice the update has shipped. So in general, CentOS Stream *should* generally be ahead of RHEL and ideally only slightly behind for the more serious CVEs.
With this development model, what is the thought for those who may want to / be able to submit pull requests to CentOS Stream with security fixes?