Many users and organizations have turned to CentOS as a replacement for Red Hat
Enterprise Linux (RHEL). While the quality of the CentOS distribution as a
RHEL substitute seems unquestioned, the speed of releases and updates is
another matter entirely. The project is taking some steps to address this
with continuous release repositories, but it's not entirely clear yet how
those will work out.
release (CRs) repositories are relatively new to CentOS. The CRs
include RPMs that will be included in the next CentOS point release. For
instance, a repository for 5.6 will contain the RPMs for 5.7 until 5.7 is
released. The CRs have to be added manually, they're not added by default
— even though CentOS project leader Karanbir Singh strongly
recommends using the CRs for security and bugfix releases.
Users will want to exercise caution, though. Though CRs are the sole
option to users wanting updates before ISOs are released, the CR
description warns that CR packages have been "less comprehensively
reviewed" at the stage when they enter the CR repository.
To get CRs, admins will need to install the "centos-release-cr"
package. Announcements about the updates that land in the CRs are sent to a separate
mailing list. While users are waiting for the next CentOS release,
updates go into the CR repository. When the next release is available, the
repository is "emptied" and starts receiving updates for the next
CentOS released the CR
repository for 5.6 on August 15, with a note from Singh saying
"we hope to have the 5.7 Release ready in the next 7 to 10
days." The 5.7 release was actually announced on
September 13, just under two
months after RHEL 5.7 was released.
The CR for 6.0 was promised
"within the next 48 hours" in the release announcement for
6.0 by Singh. That was on July 10, when CentOS 6.0 was released eight months after RHEL 6.0. But CentOS 6.0 CR was finally announced
on September 27, well more than two months after the 48-hour
The delay and apparent absence of updates has been of concern for many
users of CentOS. Consider, for instance, the update to fix the recent DoS for Apache. The advisory
was released on August 24, and Red Hat issued an
update on August 31. If you look on the CentOS update list, it doesn't
appear that any update was released for CentOS 5.x or 6.x. However, when
asked on the CentOS discussion list, Singh
that it was already pushed and should be on the mirrors - in the continuous
release repository, where few users had seen it.
Looking over the CentOS users list, it appears the concept and existence
of CRs has not made its way to quite a few CentOS users. Even after the CR
repositories for 5.x were announced, plenty of users were still asking
about updates for that release on the CentOS list. Note that few CentOS
users ever actually visit the lists. Many users get CentOS from
hosting providers, or just hear that it's a good RHEL replacement and go on
their way. They don't get deeply involved in the community and sign up for
mailing lists, so it's not surprising that many users fail to notice a new
and not well-advertised feature.
In other words, while there is no way to really know what percentage of
CentOS users have taken the extra step to use the CR repository, one has to
assume that it is quite low.
Meanwhile, if you're thinking of complaining to the CentOS list about
the speed of updates and releases, be forewarned that complaints will
met with advice to purchase a RHEL subscription.
Indeed, that is one option that users have if they're dissatisfied with
CentOS. While the CR repository looks to be a better solution than simply
waiting for point releases to get updates, there's still no promise as to
how long it will take for updates to reach CentOS users - unsurprising,
since those users have not paid for any such promises. Some of the
updates have been almost immediate, such as the nspr
update released one day after the upstream release. Others, such as this RHEL Qt update from September 21, have not
yet been seen in CentOS as of this writing one week later.
Users might also consider Scientific Linux or another
RHEL clone, if they can't afford or do not wish to pay subscription fees
for RHEL. While Scientific Linux is not as committed to being an exact
clone of RHEL, it comes very close. And the project provides
a steady stream of updates that follow RHEL, seemingly in a more timely
Having the continuous release repositories is a positive step for
CentOS, but it still seems to fall short of providing the kind of timely
updates that many production users are likely to want. Providing timely
security updates is hard - even, seemingly, when another company is doing
the work of actually fixing the code involved. Users who are concerned
about updates will want to consider what the CentOS community appears to be
able to do and come to their own conclusions as to whether the
addition of CR improves things enough to meet their needs.
to post comments)