LWN: Comments on "CentOS 5, RHEL 5.6, and security updates"

CentOS 5, RHEL 5.6, and security updates

gnu_andrew — Tue, 01 Mar 2011 19:05:03 +0000

I'm the maintainer of IcedTea6 which is used to create the java-1.6.0-openjdk packages for Fedora and RHEL. One of the OpenJDK updates will be the floating point bug fix which has beem publicised recently. Unpatched, certain floating point numbers will hang the VM (and hence javac as it is written in Java) and this could be triggered by user input. Both packages correspond to IcedTea6 1.7.x releases which were made for these updates and do not require 5.6 to my knowledge. I would get these updates ASAP and leave 6 for now.

CentOS 5, RHEL 5.6, and security updates

oak — Fri, 25 Feb 2011 19:22:02 +0000

Maybe they could put up a list of the security updates that aren't handle yet and regularly update it with information which packages are being processed / already done, so that others can help with packages that are important for them?

CentOS 5, RHEL 5.6, and security updates

jake — Fri, 25 Feb 2011 00:45:07 +0000

> RH does not make Extras/Supplementary SRPMS (java-*-sun, java-*-ibm,
> flash-plugin) available so they are not re-distributed by CentOS, AFAIK.

Indeed. That was an error in the article, which I have updated to reflect.

jake

CentOS 5, RHEL 5.6, and security updates

thoger — Thu, 24 Feb 2011 15:30:41 +0000

RH does not make Extras/Supplementary SRPMS (java-*-sun, java-*-ibm, flash-plugin) available so they are not re-distributed by CentOS, AFAIK.

CentOS 5, RHEL 5.6, and security updates

ESRI — Thu, 24 Feb 2011 14:35:47 +0000

I actually haven't tried SL's 5.6 "alpha", so I don't know how far along it is (I have been using their 6.0 rolling release for a few weeks now without problems). They do seem to make their dog food available immediately for the masses to consume whereas CentOS uses a more private QA process (no public release until final).

Note -- I don't mean any of this as a slight to the CentOS crew. I agree with you -- if you need quicker turnaround on any of this, you should be paying RH money.

CentOS 5, RHEL 5.6, and security updates

clugstj — Thu, 24 Feb 2011 14:04:18 +0000

If you are short on manpower and care about your users, IMHO, you would ignore 6.0 (you have no users running that since it doesn't yet exist) until you had 5.6 buttoned up.

CentOS 5, RHEL 5.6, and security updates

dowdle — Thu, 24 Feb 2011 04:43:47 +0000

Checking SL's front page it says their latest releases are 5.5 and 4.8. Checking their FTP directories, it says 5.5 and 4.8. The document you linked to says, "Linux ALPHA" so I'm guessing it is an alpha release just like they have released test releases for 6. With CentOS 5.6 supposedly only a few days away... that seems more advanced than an alpha release but I don't want to count those chickens before they are hatched.

Oracle was my bad. I hadn't seen their 5.6 release noted on distrowatch.com and didn't hunt down the info on their site.

CentOS 5, RHEL 5.6, and security updates

ESRI — Thu, 24 Feb 2011 04:20:30 +0000

Oracle released Unbreakable Linux 5.6 on January 20th. Scientific Linux has a rolling 5.6 release (as they do with 6.0).

Obviously, Oracle has a lot of resources to devote to their releases, and I'm not really sure how SL does their work, but I believe they have some financial backing (full-time people?).

For CentOS it seems to be a manpower shortage... how to solve it remains to be seen (it's not easy to become a member of the "core" group where likely the most help is needed). I think it might not hurt them to recruit or bring in someone who isn't focused as much on doing the technical work, but can instead target documenting, organizing and publicizing work flows and procedures and making a concerted effort to allow more people to participate and help CentOS out during the point release period. This way things don't necessarily slow down while Johnny or Karanbir are having to deal with restless mailing list complainers or issues at $DAYJOB.

CentOS 5, RHEL 5.6, and security updates

dowdle — Thu, 24 Feb 2011 03:06:34 +0000

As mentioned in the article... this does typically happen during the gap of time when CentOS is trying to put out new releases (and now 3 with 6.0, 5.6, and 4.9) out so this is nothing new.

I wish the article had covered how well the other RHEL clones are doing.

Scientific Linux - SL has released several betas and a RC for 6... so it is close but still not done. I haven't heard a peep about 5.6 yet... nor 4.9... but I'm not very attuned to their community.

Oracle - This commercial clone of RHEL/CentOS only released 6 a little over a week ago. I haven't heard anything about 5.6 or 4.9. Hmmm, does Oracle even have a 4 series? I'm not sure.

To clarify about 4.9, Red Hat didn't release refreshed .iso images... just packages. I'm not sure how each of the clone makers are going to handle 4.9. .isos or just packages?

Any any event, I think criticism of CentOS isn't really called for when they seem to be pulling their weight relative to the others. That isn't to say that I think this LWN article was critical (mainly informative) but I don't really agree with DAG or others who might feel otherwise. The CentOS developers are clearly aware of their issues and aren't trying to mislead anyone.

The advice goes... if you need updates faster than the community project can provide them and you can't build them yourself, you should probably buy one or more RHN entitlements.

At least CentOS is distinguishing between critical updates and less important ones as I think they should. I'm not trying to wave my hands and say security updates aren't important... because they certainly are. How have all of the other, non-clone distros, faired in updating the issues that also affect them? I'd chance a guess and say that almost all of them are doing better than many of the commercial OS vendors.