On Tue, 11 Aug 2009, Ian Murray wrote:

> Hi,
>
> I'm new to the list so please be gentle with me!

> Does the Scientific Linux maintainers use the same approach as above,
> or have they  solved that issue in some other way?

The Scientific Linux maintainers release very few security updates
independently of Red Hat.


> I am a user of another well known Redhat Rebuild distribution and it
> has come to light that the maintainers don't/can't release interim 
> security updates while they are rebuilding a new dot release from 
> upstream, as far as I can understand.

I don't really understand your description.
In particular what is a "dot release" - rpm packages typically have lots 
of dots in their version and release strings ?
Typically Red Hat, and hence SL, packages don't have the latest version
as the package developers, so cannot use the up-up-stream patch but have 
to back-port the fix.
For example last month the ISC released BIND updates 9.4.3-P3, 9.5.1-P3, 
9.6.1-P1 and 9.7.0a1. The BIND in Red Hat 5 release 3 was updated from
9.3.4-10.P1.1 to 9.3.4-10.P1.3, so they couldn't directly update an
ICS patch but had to back port the fix to 9.4.3.
Is that what you are worried about ?

> This is because upstream releases its security fixes against the most 
> recent dot release. Therefore there is a corresponding delay to 
> security releases.

Are we taking delays of hours, days or weeks ?
I can imagine that it takes several hours to build a set of new packages
for every supported version of the OS, and then test them.
As far as I am aware, Red Hat don't make their security releases
available to SL or CentOS ahead of the general release, so SL
security packages can be a day or two behind the Red Hat versions.

Yes, that can be annoying for day-one exploits;
the alternatives are pay Red Hat and rebuild the package yourself.

-- 
Dr. Andrew C. Aitchison		Computer Officer, DPMMS, Cambridge
[log in to unmask]	http://www.dpmms.cam.ac.uk/~werdna