On Tue, May 04, 2021 at 10:57:11AM +0000, Jose Marques wrote:
>
> My view is that Stream is exactly what RHEL say it is, a development
> distribution to which 3rd parties can contribute to RHEL development and from
> which 3rd parties can base their own distributions. It's not for end users,
> or small organisations that need timely security updates and other fixes and
> can't produce same themselves.
>
This is exactly what puzzles me. The food chain seems to be:
{GNOME,systemd,Poettering,etc} -> Fedora -> CentOS Stream -> RHEL
The purpose of RHEL seems to be clear: stuff that reaches RHEL has been
hammered enough that it mostly works.
The purpose of Fedora is clear: this is the bleeding edge; whatever work,
works; whatever is broken, we fix tomorrow, but no promises.
But what is CentOS Stream in the middle? How is it different from Fedora? Is it:
a) stuff that is not good enough yet for RHEL? (needs more hammering until it
works). (but "not good enough for RHEL" probably means "not good enough for
me"?).
b) just Fedora N-1?
c) "best of" selection of packages from Fedora N, N-1, N-2, etc?
d) all of the above plus secret/proprietary/NDA fixes for security and hardware
bugs?
Perhaps the answer truely is as Red Hat have been saying all along - "this is
our internal development process". But in this case,
how/why would anybody recommend "an internal development process" "thing" for
any kind of production use?
Hmm... If quality is good enough, maybe it is ok. Let's see how quickly they
fix security CVEs...
I pick
https://urldefense.proofpoint.com/v2/url?u=https-3A__cve.mitre.org_cgi-2Dbin_cvename.cgi-3Fname-3DCVE-2D2021-2D20194&d=DwIBAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A&m=sQ-t16h7TvSNSg14oOkP3OA9VQIwY5urkmx0Y8St1Ag&s=_KIWEZZuAYWDdj8EKFq_cRWj8pd7FVIpDRkwEgf5FLo&e=
at random, I follow the references through
https://urldefense.proofpoint.com/v2/url?u=https-3A__bugzilla.redhat.com_show-5Fbug.cgi-3Fid-3D1912683&d=DwIBAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A&m=sQ-t16h7TvSNSg14oOkP3OA9VQIwY5urkmx0Y8St1Ag&s=Du4owy_SkXFPmqI1EwXiR4lZK-N8TXox9jLiT6UkCrw&e=
- Fedora: all versions affected, fix available
- RHEL: affected, see
https://urldefense.proofpoint.com/v2/url?u=https-3A__access.redhat.com_security_cve_cve-2D2021-2D20194&d=DwIBAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A&m=sQ-t16h7TvSNSg14oOkP3OA9VQIwY5urkmx0Y8St1Ag&s=x3x-RjLGL0IsdZPTdzZXPZVEv5Gp0qpciVucyHZqwsU&e=
- CentOS Stream: no info, google search for "CVE-2021-20194 centos" and "...
centos stream" yields nothing. ("... ubuntu" yields the expected
notvulnerable/fixreleased page)
Ok, maybe some obscure CVE was bad choice. How about the "sudo" CVE-2021-3156?
I do not see any notice of resolution for centos stream. (I see notices for
RHEL, Ubuntu, Fedora, etc. Of course CentOS "Linux" follows the RHEL CVEs).
Now I have to ask, does "CentOS Stream" even follow the CVE process? (notices
of vulnerability, "fix available", etc). (CentOS "Linux" follows the RHEL CVE
process, of course).
Not that I am dumping on CentOS Stream, I am just trying to understand how it
works as a suggested replacement for CentOS Linux.
--
Konstantin Olchanski
Data Acquisition Systems: The Bytes Must Flow!
Email: olchansk-at-triumf-dot-ca
Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada
