SCIENTIFIC-LINUX-USERS Archives

May 2021

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: [SL-Users] Re: any update on CERN Linux and CentOS-8 situation?
From:
Konstantin Olchanski <[log in to unmask]>
Reply To:
Konstantin Olchanski <[log in to unmask]>
Date:
Wed, 5 May 2021 14:47:56 -0700
Content-Type:
text/plain
Parts/Attachments:
text/plain (44 lines) 
On Tue, May 04, 2021 at 10:57:11AM +0000, Jose Marques wrote:
> 
> My view is that Stream is exactly what RHEL say it is, a development distribution to which 3rd parties can contribute to RHEL development and from which 3rd parties can base their own distributions. It's not for end users, or small organisations that need timely security updates and other fixes and can't produce same themselves.
> 

This is exactly what puzzles me. The food chain seems to be:

{GNOME,systemd,Poettering,etc} -> Fedora -> CentOS Stream -> RHEL

The purpose of RHEL seems to be clear: stuff that reaches RHEL has been hammered enough that it mostly works.

The purpose of Fedora is clear: this is the bleeding edge; whatever work, works; whatever is broken, we fix tomorrow, but no promises.

But what is CentOS Stream in the middle? How is it different from Fedora? Is it:

a) stuff that is not good enough yet for RHEL? (needs more hammering until it works). (but "not good enough for RHEL" probably means "not good enough for me"?).
b) just Fedora N-1?
c) "best of" selection of packages from Fedora N, N-1, N-2, etc?
d) all of the above plus secret/proprietary/NDA fixes for security and hardware bugs?

Perhaps the answer truely is as Red Hat have been saying all along - "this is our internal development process". But in this case,
how/why would anybody recommend "an internal development process" "thing" for any kind of production use?

Hmm... If quality is good enough, maybe it is ok. Let's see how quickly they fix security CVEs...

I pick https://urldefense.proofpoint.com/v2/url?u=https-3A__cve.mitre.org_cgi-2Dbin_cvename.cgi-3Fname-3DCVE-2D2021-2D20194&d=DwIBAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A&m=sQ-t16h7TvSNSg14oOkP3OA9VQIwY5urkmx0Y8St1Ag&s=_KIWEZZuAYWDdj8EKFq_cRWj8pd7FVIpDRkwEgf5FLo&e=  at random, I follow the references through
https://urldefense.proofpoint.com/v2/url?u=https-3A__bugzilla.redhat.com_show-5Fbug.cgi-3Fid-3D1912683&d=DwIBAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A&m=sQ-t16h7TvSNSg14oOkP3OA9VQIwY5urkmx0Y8St1Ag&s=Du4owy_SkXFPmqI1EwXiR4lZK-N8TXox9jLiT6UkCrw&e= 

- Fedora: all versions affected, fix available
- RHEL: affected, see https://urldefense.proofpoint.com/v2/url?u=https-3A__access.redhat.com_security_cve_cve-2D2021-2D20194&d=DwIBAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A&m=sQ-t16h7TvSNSg14oOkP3OA9VQIwY5urkmx0Y8St1Ag&s=x3x-RjLGL0IsdZPTdzZXPZVEv5Gp0qpciVucyHZqwsU&e= 
- CentOS Stream: no info, google search for "CVE-2021-20194 centos" and "... centos stream" yields nothing. ("... ubuntu" yields the expected notvulnerable/fixreleased page)

Ok, maybe some obscure CVE was bad choice. How about the "sudo" CVE-2021-3156? I do not see any notice of resolution for centos stream. (I see notices for RHEL, Ubuntu, Fedora, etc. Of course CentOS "Linux" follows the RHEL CVEs).

Now I have to ask, does "CentOS Stream" even follow the CVE process? (notices of vulnerability, "fix available", etc). (CentOS "Linux" follows the RHEL CVE process, of course).

Not that I am dumping on CentOS Stream, I am just trying to understand how it works as a suggested replacement for CentOS Linux.

-- 
Konstantin Olchanski
Data Acquisition Systems: The Bytes Must Flow!
Email: olchansk-at-triumf-dot-ca
Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada

ATOM RSS1 RSS2