CentOS and updates

Many users and organizations have turned to CentOS as a replacement for Red Hat Enterprise Linux (RHEL). While the quality of the CentOS distribution as a RHEL substitute seems unquestioned, the speed of releases and updates is another matter entirely. The project is taking some steps to address this with continuous release repositories, but it's not entirely clear yet how those will work out.

The continuous release (CRs) repositories are relatively new to CentOS. The CRs include RPMs that will be included in the next CentOS point release. For instance, a repository for 5.6 will contain the RPMs for 5.7 until 5.7 is released. The CRs have to be added manually, they're not added by default — even though CentOS project leader Karanbir Singh strongly recommends using the CRs for security and bugfix releases.

Users will want to exercise caution, though. Though CRs are the sole option to users wanting updates before ISOs are released, the CR description warns that CR packages have been "less comprehensively reviewed" at the stage when they enter the CR repository.

To get CRs, admins will need to install the "centos-release-cr" package. Announcements about the updates that land in the CRs are sent to a separate mailing list. While users are waiting for the next CentOS release, updates go into the CR repository. When the next release is available, the repository is "emptied" and starts receiving updates for the next release.

CentOS released the CR repository for 5.6 on August 15, with a note from Singh saying "we hope to have the 5.7 Release ready in the next 7 to 10 days." The 5.7 release was actually announced on September 13, just under two months after RHEL 5.7 was released. The CR for 6.0 was promised "within the next 48 hours" in the release announcement for 6.0 by Singh. That was on July 10, when CentOS 6.0 was released eight months after RHEL 6.0. But CentOS 6.0 CR was finally announced on September 27, well more than two months after the 48-hour promise.

The delay and apparent absence of updates has been of concern for many users of CentOS. Consider, for instance, the update to fix the recent DoS for Apache. The advisory was released on August 24, and Red Hat issued an update on August 31. If you look on the CentOS update list, it doesn't appear that any update was released for CentOS 5.x or 6.x. However, when asked on the CentOS discussion list, Singh replied that it was already pushed and should be on the mirrors - in the continuous release repository, where few users had seen it.

Looking over the CentOS users list, it appears the concept and existence of CRs has not made its way to quite a few CentOS users. Even after the CR repositories for 5.x were announced, plenty of users were still asking about updates for that release on the CentOS list. Note that few CentOS users ever actually visit the lists. Many users get CentOS from hosting providers, or just hear that it's a good RHEL replacement and go on their way. They don't get deeply involved in the community and sign up for mailing lists, so it's not surprising that many users fail to notice a new and not well-advertised feature.

In other words, while there is no way to really know what percentage of CentOS users have taken the extra step to use the CR repository, one has to assume that it is quite low.

Meanwhile, if you're thinking of complaining to the CentOS list about the speed of updates and releases, be forewarned that complaints will likely be met with advice to purchase a RHEL subscription. Indeed, that is one option that users have if they're dissatisfied with CentOS. While the CR repository looks to be a better solution than simply waiting for point releases to get updates, there's still no promise as to how long it will take for updates to reach CentOS users - unsurprising, since those users have not paid for any such promises. Some of the updates have been almost immediate, such as the nspr update released one day after the upstream release. Others, such as this RHEL Qt update from September 21, have not yet been seen in CentOS as of this writing one week later.

Users might also consider Scientific Linux or another RHEL clone, if they can't afford or do not wish to pay subscription fees for RHEL. While Scientific Linux is not as committed to being an exact clone of RHEL, it comes very close. And the project provides a steady stream of updates that follow RHEL, seemingly in a more timely manner.

Having the continuous release repositories is a positive step for CentOS, but it still seems to fall short of providing the kind of timely updates that many production users are likely to want. Providing timely security updates is hard - even, seemingly, when another company is doing the work of actually fixing the code involved. Users who are concerned about updates will want to consider what the CentOS community appears to be able to do and come to their own conclusions as to whether the addition of CR improves things enough to meet their needs.