On Tue, 11 Aug 2009, Ian Murray wrote:
> Hi,
>
> I'm new to the list so please be gentle with me!
> Does the Scientific Linux maintainers use the same approach as above,
> or have they solved that issue in some other way?
The Scientific Linux maintainers release very few security updates
independently of Red Hat.
> I am a user of another well known Redhat Rebuild distribution and it
> has come to light that the maintainers don't/can't release interim
> security updates while they are rebuilding a new dot release from
> upstream, as far as I can understand.
I don't really understand your description.
In particular what is a "dot release" - rpm packages typically have lots
of dots in their version and release strings ?
Typically Red Hat, and hence SL, packages don't have the latest version
as the package developers, so cannot use the up-up-stream patch but have
to back-port the fix.
For example last month the ISC released BIND updates 9.4.3-P3, 9.5.1-P3,
9.6.1-P1 and 9.7.0a1. The BIND in Red Hat 5 release 3 was updated from
9.3.4-10.P1.1 to 9.3.4-10.P1.3, so they couldn't directly update an
ICS patch but had to back port the fix to 9.4.3.
Is that what you are worried about ?
> This is because upstream releases its security fixes against the most
> recent dot release. Therefore there is a corresponding delay to
> security releases.
Are we taking delays of hours, days or weeks ?
I can imagine that it takes several hours to build a set of new packages
for every supported version of the OS, and then test them.
As far as I am aware, Red Hat don't make their security releases
available to SL or CentOS ahead of the general release, so SL
security packages can be a day or two behind the Red Hat versions.
Yes, that can be annoying for day-one exploits;
the alternatives are pay Red Hat and rebuild the package yourself.
--
Dr. Andrew C. Aitchison Computer Officer, DPMMS, Cambridge
[log in to unmask] http://www.dpmms.cam.ac.uk/~werdna
|