On Tue, May 04, 2021 at 10:57:11AM +0000, Jose Marques wrote: > > My view is that Stream is exactly what RHEL say it is, a development > distribution to which 3rd parties can contribute to RHEL development and from > which 3rd parties can base their own distributions. It's not for end users, > or small organisations that need timely security updates and other fixes and > can't produce same themselves. >
This is exactly what puzzles me. The food chain seems to be: {GNOME,systemd,Poettering,etc} -> Fedora -> CentOS Stream -> RHEL The purpose of RHEL seems to be clear: stuff that reaches RHEL has been hammered enough that it mostly works. The purpose of Fedora is clear: this is the bleeding edge; whatever work, works; whatever is broken, we fix tomorrow, but no promises. But what is CentOS Stream in the middle? How is it different from Fedora? Is it: a) stuff that is not good enough yet for RHEL? (needs more hammering until it works). (but "not good enough for RHEL" probably means "not good enough for me"?). b) just Fedora N-1? c) "best of" selection of packages from Fedora N, N-1, N-2, etc? d) all of the above plus secret/proprietary/NDA fixes for security and hardware bugs? Perhaps the answer truely is as Red Hat have been saying all along - "this is our internal development process". But in this case, how/why would anybody recommend "an internal development process" "thing" for any kind of production use? Hmm... If quality is good enough, maybe it is ok. Let's see how quickly they fix security CVEs... I pick https://urldefense.proofpoint.com/v2/url?u=https-3A__cve.mitre.org_cgi-2Dbin_cvename.cgi-3Fname-3DCVE-2D2021-2D20194&d=DwIBAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A&m=sQ-t16h7TvSNSg14oOkP3OA9VQIwY5urkmx0Y8St1Ag&s=_KIWEZZuAYWDdj8EKFq_cRWj8pd7FVIpDRkwEgf5FLo&e= at random, I follow the references through https://urldefense.proofpoint.com/v2/url?u=https-3A__bugzilla.redhat.com_show-5Fbug.cgi-3Fid-3D1912683&d=DwIBAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A&m=sQ-t16h7TvSNSg14oOkP3OA9VQIwY5urkmx0Y8St1Ag&s=Du4owy_SkXFPmqI1EwXiR4lZK-N8TXox9jLiT6UkCrw&e= - Fedora: all versions affected, fix available - RHEL: affected, see https://urldefense.proofpoint.com/v2/url?u=https-3A__access.redhat.com_security_cve_cve-2D2021-2D20194&d=DwIBAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A&m=sQ-t16h7TvSNSg14oOkP3OA9VQIwY5urkmx0Y8St1Ag&s=x3x-RjLGL0IsdZPTdzZXPZVEv5Gp0qpciVucyHZqwsU&e= - CentOS Stream: no info, google search for "CVE-2021-20194 centos" and "... centos stream" yields nothing. ("... ubuntu" yields the expected notvulnerable/fixreleased page) Ok, maybe some obscure CVE was bad choice. How about the "sudo" CVE-2021-3156? I do not see any notice of resolution for centos stream. (I see notices for RHEL, Ubuntu, Fedora, etc. Of course CentOS "Linux" follows the RHEL CVEs). Now I have to ask, does "CentOS Stream" even follow the CVE process? (notices of vulnerability, "fix available", etc). (CentOS "Linux" follows the RHEL CVE process, of course). Not that I am dumping on CentOS Stream, I am just trying to understand how it works as a suggested replacement for CentOS Linux. -- Konstantin Olchanski Data Acquisition Systems: The Bytes Must Flow! Email: olchansk-at-triumf-dot-ca Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada