Hi, Yep, that's the ticket. I did think about doing that, but then for reasons I forget, I didn't. Thanks for looking that up and indeed there appears to be a number of updates between RH releasing 4.8 and SL releasing 4.8. That Johnny Hughes response was to me, in fact. I quoted back the Karanbir quote where Johnny was (very) less than certain about whether they would take that direction.
I prefer the SL way, and it obviously doesn't cause the issues that the Johnny was concerned about or the SL team solve them by some other means. Evidently, not all rebuilds are the same. ;o) Thanks for the responses, Ian. ________________________________ From: Akemi Yagi <[email protected]> To: Ian Murray <[email protected]> Cc: Dr Andrew C Aitchison <[email protected]>; [email protected] Sent: Tuesday, 11 August, 2009 15:59:27 Subject: Re: Security Updates Question On Tue, Aug 11, 2009 at 2:12 AM, Ian Murray<[email protected]> wrote: > Hi, > > Thanks for the reply. Distribution dot release is what I was referring to. I > didn't make myself clear, so my bad. I'll give an example, which will make > it clearer, hopefully. > > The other rebuild project has not yet released their equivalent to RHEL 4.8. > Obviously, RH themselves have (as have SL :o) ). As far as I understand, > after RH release 4.8, all their subsequent errata updates against 4.X will > be released with the assumption dependencies are met by packages in 4.8. > > The problem with the 'other' rebuild distribution is that they won't release > security updates that require dependencies that are met in 4.8 until the > have released their 4.8 equivalent distribution (Actually they 'roll-in' > recent updates). So there is a potential delay of weeks and months before > security updates are passed on whilst a distribution is being rebuilt, as > they currently don't start rebuilding the dependencies of an errata updated > package, unless it is part of the release. So they upshot is is that 4.7 > users can't get security updates until 4.8 is released. As far as I > remember, 5.3 took 2 months to appear from the other rebuild project. > > I am quite happy to wait a few days for a security updates, but I do take > issue to an unknown exposure where security updates are delayed for an > unspecified length of time. > > So, does SL work the same way? You can find what you are looking for by going through the SL's errata at: http://listserv.fnal.gov/archives/scientific-linux-errata.html Look in June, July and August. SL4.8 was announced on August 3. You will find the SL4 updates that were release before the 4.8 release on that list. For people who are wondering what the OP was talking about, there was recently a detailed description by Johnny Hughes explaining why CentOS does not publish updates prior to a point release: http://lists.centos.org/pipermail/centos/2009-August/080373.html However, there is a movement in CentOS in favor of getting the pending updates out whenever it is possible as seen in this post by Karanbir Singh: http://lists.centos.org/pipermail/centos/2009-July/079311.html Akemi
