On Tue, 2009-08-11 at 15:17 +0000, Ian Murray wrote:
> Hi,
> 
> Yep, that's the ticket. I did think about doing that, but then for
> reasons I forget, I didn't. Thanks for looking that up and indeed
> there appears to be a number of updates between RH releasing 4.8 and
> SL releasing 4.8. That Johnny Hughes response was to me, in fact. I
> quoted back the Karanbir quote where Johnny was (very) less than
> certain about whether they would take that direction.
> 
> I prefer the SL way, and it obviously doesn't cause the issues that
> the Johnny was concerned about or the SL team solve them by some other
> means.

It does cause Connie and Troy significant extra effort, I figure. And
there is the occasional glitch where a hidden dependency on some other
package updated with the new minor release isn't caught immediately.
Johnny is right, there is more potential for breakage, and it does
happen. Both policies have their pros & cons. Personally, I prefer the
SL way. If the security updates (+ dependencies) are made available, one
still has the option not to apply them, or to test them thoroughly
before putting them on production systems.

Regards,
	Stephan

> Evidently, not all rebuilds are the same. ;o)
> 
> Thanks for the responses,
> 
> Ian.
> 
> 
> 
> ______________________________________________________________________
> From: Akemi Yagi <[log in to unmask]>
> To: Ian Murray <[log in to unmask]>
> Cc: Dr Andrew C Aitchison <[log in to unmask]>;
> [log in to unmask]
> Sent: Tuesday, 11 August, 2009 15:59:27
> Subject: Re: Security Updates Question
> 
> On Tue, Aug 11, 2009 at 2:12 AM, Ian Murray<[log in to unmask]>
> wrote:
> > Hi,
> >
> > Thanks for the reply. Distribution dot release is what I was
> referring to. I
> > didn't make myself clear, so my bad. I'll give an example, which
> will make
> > it clearer, hopefully.
> >
> > The other rebuild project has not yet released their equivalent to
> RHEL 4.8.
> > Obviously, RH themselves have (as have SL :o) ). As far as I
> understand,
> > after RH release 4.8, all their subsequent errata updates against
> 4.X will
> > be released with the assumption dependencies are met by packages in
> 4.8.
> >
> > The problem with the 'other' rebuild distribution is that they won't
> release
> > security updates that require dependencies that are met in 4.8 until
> the
> > have released their 4.8 equivalent distribution (Actually they
> 'roll-in'
> > recent updates). So there is a potential delay of weeks and months
> before
> > security updates are passed on whilst a distribution is being
> rebuilt, as
> > they currently don't start rebuilding the dependencies of an errata
> updated
> > package, unless it is part of the release. So they upshot is is that
> 4.7
> > users can't get security updates until 4.8 is released. As far as I
> > remember, 5.3 took 2 months to appear from the other rebuild
> project.
> >
> > I am quite happy to wait a few days for a security updates, but I do
> take
> > issue to an unknown exposure where security updates are delayed for
> an
> > unspecified length of time.
> >
> > So, does SL work the same way?
> 
> You can find what you are looking for by going through the SL's errata
> at:
> 
> http://listserv.fnal.gov/archives/scientific-linux-errata.html
> 
> Look in June, July and August. SL4.8 was announced on August 3.  You
> will find the SL4 updates that were release before the 4.8 release on
> that list.
> 
> For people who are wondering what the OP was talking about, there was
> recently a detailed description by Johnny Hughes explaining why CentOS
> does not publish updates prior to a point release:
> 
> http://lists.centos.org/pipermail/centos/2009-August/080373.html
> 
> However, there is a movement in CentOS in favor of getting the pending
> updates out whenever it is possible as seen in this post by Karanbir
> Singh:
> 
> http://lists.centos.org/pipermail/centos/2009-July/079311.html
> 
> Akemi
> 

-- 
Stephan Wiesand
  DESY - DV -
  Platanenallee 6
  15738 Zeuthen, Germany