On Tue, 11 Aug 2009, Ian Murray wrote:
Hi,
I'm new to the list so please be gentle with me!
Does the Scientific Linux maintainers use the same approach as above,
or have they solved that issue in some other way?
The Scientific Linux maintainers release very few security updates
independently of Red Hat.
I am a user of another well known Redhat Rebuild distribution and it
has come to light that the maintainers don't/can't release interim
security updates while they are rebuilding a new dot release from
upstream, as far as I can understand.
I don't really understand your description.
In particular what is a "dot release" - rpm packages typically have lots
of dots in their version and release strings ?
Typically Red Hat, and hence SL, packages don't have the latest version
as the package developers, so cannot use the up-up-stream patch but have
to back-port the fix.
For example last month the ISC released BIND updates 9.4.3-P3, 9.5.1-P3,
9.6.1-P1 and 9.7.0a1. The BIND in Red Hat 5 release 3 was updated from
9.3.4-10.P1.1 to 9.3.4-10.P1.3, so they couldn't directly update an
ICS patch but had to back port the fix to 9.4.3.
Is that what you are worried about ?
This is because upstream releases its security fixes against the most
recent dot release. Therefore there is a corresponding delay to
security releases.
Are we taking delays of hours, days or weeks ?
I can imagine that it takes several hours to build a set of new packages
for every supported version of the OS, and then test them.
As far as I am aware, Red Hat don't make their security releases
available to SL or CentOS ahead of the general release, so SL
security packages can be a day or two behind the Red Hat versions.
Yes, that can be annoying for day-one exploits;
the alternatives are pay Red Hat and rebuild the package yourself.
--
Dr. Andrew C. Aitchison Computer Officer, DPMMS, Cambridge
[email protected] http://www.dpmms.cam.ac.uk/~werdna
