On 04/08/2020 23:50, Jon Pruente wrote:
On Tue, Aug 4, 2020 at 11:34 AM <cen...@niob.at> wrote:
Q5) If the answer to the last question is "no": shouldn't there be such
a resource?
CentOS doesn't publish security errata. If you need it then you should
either buy RHEL, or deal with putting together your own set up with
something like http://cefs.steve-meier.de/
I expected just this answer, and we do have a RHEL subscription (and
BTW: thanks for the link). But you missed the main point by omitting the
other questions (especially Q1, Q2 and Q3): There are upstream package
versions that were never rebuilt for CentOS.
For instance: If, for whatever reason, I am required to stay with nginx
1.14.1 then the missing rebuild of the packages mentioned in
RHSA-2019:2799 (https://access.redhat.com/errata/RHSA-2019:2799) would
leave me with a vulnerable system.
The question for an OVAL feed is actually an add-on question: In the
same spirit that is the base for the CentOS project itself: wouldn't
such a feed be a good thing to have? Otherwise your answer could be the
catch-all answer to all questions CentOS: Go get a commercial
subscription. Personally, I think such an answer is not very helpful.
So what do you think about the underlying issue? Under what
argumentation does it NOT constitute to be an issue?
peter
_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
