LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

February 2020

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS February 2020

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Who Uses Scientific Linux, and How/Why?
From:	Stephan Wiesand <[log in to unmask]>
Reply To:	Stephan Wiesand <[log in to unmask]>
Date:	Wed, 26 Feb 2020 14:57:09 +0100
Content-Type:	text/plain
Parts/Attachments:	text/plain (86 lines)

Bonjour,

> On 25. Feb 2020, at 10:49, Winnie Lacesso <[log in to unmask]> wrote:
> 
> This was posted to SLU in 2012 but didn't get any actual answers. It's
> reposted in case anyone can firmly say (or no) that the situation has
> changed or is the same. *Is* it true that CentOS still have a period when
> they do *not* release security updates for earlier OS dot releases, thus
> leaving those earlier dot releases vulnerable?

They generally don't release updates for earlier dot releases, only for the
latest minor CentOS release that was published. This hasn't changed.

There has been some improvement regarding the gap between a RHEL minor release
and completion of the corresponding CentOS one though, by introducing the
"continuous release" repository.

See https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.centos.org_AdditionalResources_Repositories_CR&d=DwIFAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A&m=LxbR4yysOdbJMOaCGY2Kb9EjwR9OrU9BXf9boXHIq9k&s=g09K_rNgLAQ74tt0xdcRHuJjDrDYtcRInBge7vfRN6Q&e=  for details.

But you still have to update to the latest dot release as soon as it's published
to continue receiving package updates.

It's also still true that CentOS does not distinguish security updates from
bug fixes and enhancements.

> (Security is one reason we stuck with SL with Super-Gratitude to them!)

Indeed the SL team at FNAL has been doing an outstanding job providing
security updates for their minor releases. I'm afraid the only equivalent
replacement for SL is a RHEL subscription with the EUS add-on.

Hope this helps
	Stephan

> My security colleagues said:
> --------
> My reading of the thread surrounding that quote is that CentOS *do* 
> release security patches between "dot" releases, but that they stop in the 
> period between Red Hat releasing an update and the time that they have 
> pushed that update out themselves. Thus, 5.3 has been released by both Red 
> Hat and CentOS and is receiving updates, but when 5.4 comes out from Red 
> Hat, all their security updates will not necessarily work on 5.3 so CentOS 
> stops releasing them. As soon as CentOS gets 5.4 out of the door, the 
> updates will start again (and they will have rolled the missing ones into 
> their 5.4 release). 
> 
> It is significant though (i.e. potentially a couple of months without
> security fixes when a new CentOS point release is being prepared), and
> something I wasn't aware of. At the very least, CentOS admins need to be
> aware of this until and unless the policy changes.
> --------
> 
> Original post: PS I haven't verified the links are still valid! (sorry)
> --------
> In 2009 I was surprised to learn from this useful+informative SL-User's 
> list, that CentOS does not always release security updates in a timely 
> manner: 
> 
> http://listserv.fnal.gov/scripts/wa.exe?A2=ind0908&L=scientific-linux-users&D=0&T=0&P=4484
> "It has come to light that the maintainers don't/can't release interim  
> security updates while they are rebuilding a new dot release from 
> upstream" 
> 
> http://listserv.fnal.gov/scripts/wa.exe?A2=ind0908&L=SCIENTIFIC-LINUX-USERS&P=R7106&I=-3
> "For example, once Redhat releases a point release, an attacker knows that
> any subsequent errata can be used against a CentOS box at least until the 
> CentOS project releases the corresponding point release. It is quite 
> literally a sitting duck."
> 
> http://listserv.fnal.gov/scripts/wa.exe?A2=ind0908&L=scientific-linux-users&D=0&T=0&P=4999
> "(About CentOS & why user is switching from CentOS to SL:) So there is a
> potential delay of weeks and months before security updates are passed on 
> whilst a distribution is being rebuilt, as they currently don't start 
> rebuilding the dependencies of an errata updated package, unless it is
> part of the release. I am quite happy to wait a few days for a security 
> updates, but I do take issue to an unknown exposure where security updates
> are delayed for an unspecified length of time."
> 
> Question: that was in 2009. Does anyone know, is the above still true of 
> CentOS? (Apols - I don't wish to join CentOS list just to find that out & 
> am unable to find out via some searching)
> (We are debating building some new servers as SL vs CentOS, & timely
> security updates are relevant to us)
> 
> Many thanks for pointers/enlightenment.

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV