Syncing fedora packages with security patches to mirrors

[Huzaifa Sidhpurwala]

Hi All,

I work for the Red Hat Product security team, and have been a fedora
contributor for several years. I was involved with Linux security issues
like heartbleed, shellshock etc.

For some time, I have noticed that due to the way fedora mirrors work,
it takes a lot of time for the packages with security fixes (specially
ones which have critical impact like openssl) to sync to mirrors. We
have been announcing links to koji builds for our users in the meantime,
which is really not scalable for large installs etc.

Also many times, while talking in conferences and otherwise to fedora
users, it seems the main concern is the time it takes these security
fixes to hit our mirrors.

I have tried talking to several people about a possible solution,
including CentOS guys and it seems there needs to be a solution to this
problem.

One possible solution which i can think of, is to have a security repo,
which is not  mirrored but centrally location, of-course there are
several problems with this approach and needs more discussion.

Let me know if this is the wrong list, or i need to mail someone else to
get the ball rolling.

Thanks for your time.


-- 
Huzaifa Sidhpurwala / Red Hat Product Security Team