Hi Troy, It does answer my question. As has been said elsewhere, at least the end user has the choice to take the updates or wait. This is a deal breaker for me using CentOS, as a would-be attacker has a wealth of information to help them. For example, once Redhat releases a point release, an attacker knows that any subsequent errata can be used against a CentOS box at least until the CentOS project releases the corresponding point release. It is quite literally a sitting duck.
I am off to try to find some migration documentation, although I may be back on the list if I can't find any. My complication is that I use Xen 3.3.1 from the gitco.de repository. Thanks for the information, Ian. ________________________________ From: Troy Dawson <[email protected]> To: Ian Murray <[email protected]> Cc: "[email protected]" <[email protected]> Sent: Tuesday, 11 August, 2009 17:03:24 Subject: Re: Security Updates Question Hi Ian, Ian Murray wrote: > Hi, > > I'm new to the list so please be gentle with me! > > I am a user of another well known Redhat Rebuild distribution and it has come > to light that the maintainers don't/can't release interim security updates > while they are rebuilding a new dot release from upstream, as far as I can > understand. This is because upstream releases its security fixes against the > most recent dot release. Therefore there is a corresponding delay to security > releases. > > I am considering moving away from that distribution for the above reason and > the dot releases seem to be taking a long time, which compounds that issue. I > would like to stick with something RH based, as I am familiar with it. > > Does the Scientific Linux maintainers use the same approach as above, or have > they solved that issue in some other way? > > Thanks in advance, > > Ian. > Hi Ian, Interesting question that I've never seen before. I believe it's been answered, but I'll answer it anyway. When RedHat releases a point release, such a RHEL 4.8 or 5.4, and then release security errata after that, we try to get those security errata out as soon a possible. That being said it is ofter a week or two before the first security errata's get pushed out by us, and it is quite common for those early packages to have dependancies and/or complications we didn't expect. But after a few weeks to a month, things tend to settle down and be less trouble. I hope that answers your question. Thanks Troy Dawson -- __________________________________________________ Troy Dawson [email protected] (630)840-6468 Fermilab ComputingDivision/LCSI/CSI LMSS Group __________________________________________________
