| |||||||||||||
CentOS is security disasterCentOS is security disasterPosted Apr 1, 2009 18:01 UTC (Wed) by MilanKerslager (guest, #53653)Parent article: CentOS 5.3 released
CentOS is a big security nigtmare. They did not released security updates for kernel since RH's 5.3 (Feb 19) or even there was 5.2.z security update (Feb 24, https://www.redhat.com/archives/enterprise-watch-list/200...). This is extremly pitty and I really dislike answers like "don't ask just wait until it'll be ready", "no QA yet" and so on. They are writing about community driven project, but this seems to me like one (or two, three) man show. I remeber I was trying to produce updates for WhiteBox Linux when was too late all the time with only negative replies from it's owner. Tao Linux ended too. I had to build own kernel for CentOS so this may be the beginning of the end too (and I wish to be wrong).
(Log in to post comments)
CentOS is security disaster Posted Apr 1, 2009 20:11 UTC (Wed) by dowdle (subscriber, #659) [Link]
It is true that the CentOS folks were really late in getting out 5.3. They are definitely aware of the problems and are trying to get the resolved for future releases.
Some updates that came out for RHEL5.3 could not be done for CentOS 5.2 because they depended on other (non-security related) packages that were updated in 5.3... so their best course of action was trying to get 5.3 done as soon as possible.
I wouldn't call CentOS 5.3 a security nightmare. While there have been some security updates that have taken a while... none of them were critical. If they had ignored a critical update... or if there were some exploit in the wild it would have been different.
The CentOS project takes a practical approach and weights the the actual risks (from my perception as a project outsider) and factors that into their work schedule. I'm not trying to say that is necessarily a good approach... because yeah, it would have been nice if security updates had been released the same day or the next day as Red Hat as has historically been the case. What other free / non-sponsored distribution maintains 3 or 4 different releases over a long period of time?
As they have said, if their updates aren't timely enough for you, and most of the time they are extremely timely, then you should consider going upstream.
CentOS is security disaster Posted Apr 2, 2009 10:39 UTC (Thu) by berndp (guest, #52035) [Link]
So why didn't you help that man since ages if you dislike his one (or two, three) man show?
CentOS is security disaster Posted Apr 2, 2009 13:57 UTC (Thu) by dag- (subscriber, #30207) [Link]
Milan,
The CentOS project knows there are problems, but we cannot tackle those problems while a new release is imminent. The people producing updates and a new release are some of the people that take part in this discussion.
That is why the answers you are looking for during a period of high workload are probably not the answers you were hoping for. Releasing CentOS 5.3 was more important at the time.
That said, we have to learn from this. Adding more resources to te build process itself is unlikely to help a lot since there are risks involved in increasing the pool of people that can build and sign official CentOS packages.
But better planning and project management could help avoiding delays. Making it easier for people to create their own rebuilds could help with contributions. And more transparency about the process could help with getting more people involved in improving the processes and tools. In itself it would be good if there was more competition in the RHEL rebuild space again.
There is a great deal that we have to improve in the process, and not everything may be feasible given this is based on volunteering. But we should be cautious to not use "volunteering" as an excuse, nor should we accept criticism without some commitment to help.
Let's hope we can draw conclusions and find acceptable solutions before RHEL 4.8 is out :-)
|
|||||||||||||