On 03/02/2016 10:42 AM, Mark Milhollan wrote:> I understand that some people might be trying to cherry-pick their > updates and the assertion that doing so is not supported. But that is > not the only way in which --security can be used and it is a bit boring > to continually see whining about the assumptive use. > > For me it is about scheduling -- it would answer the question: Does this > system need updating immediately, vs scheduled for / deferred until a > convenient time. > > I wish --security was functional and I do not accept that because it can > be abused that it should therefore never be. That CentOS as yet has no > way to make it functional is sad, and I hope that the lack is not due to > the assumed use resulting in it being ignored.That is not the reason, I have posted the reason several times .. including in this thread. We do not have enough space on donated mirrors and the data required for the xml file is not redistributable. It is not being ignored, it was designed to be used within rhn and since we give CentOS away for free, we can't buy the machines or bandwidth we need to include all rpms in all trees. Even if we could do that, we can't steal information and redistribute it if it is not licensed for such distribution. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20160302/0337a5c0/attachment-0001.sig>
On Wed, 2 Mar 2016, Johnny Hughes wrote:>On 03/02/2016 10:42 AM, Mark Milhollan wrote:>>I wish --security was functional>>I hope that the lack is not due to >>the assumed use resulting in it being ignored. > >That is not the reason,>We do not have enough space on donated mirrorsSurely the data could be tailored to provide only that which applies to the current set of RPMs. Do we know that yum will fail if RPMs are cited in the file but which are not available for install?>the data required for the xml file is not redistributable.That does sound like it is being ignored, because you know you can't do it. As things stand. (I think you should put all this in an/the FAQ then point people to it, instead of sending large swaths of the same words yet again, which must surely be frustrating.) But the project could lobby Red Hat for access to the file, whether for just CentOS (RH has done things just for CentOS before) or for the wider community of rebuilders. I can't know if this has been attempted, but it has not been mentioned as having been asked. Can I help lobby for such access? I bet that would only be possible after CentOS has started such a petition, since non-RHEL users cannot submit feature requests. But the CentOS project isn't quite in the same boat as its users, so you might be able to open such a ticket and if it were public others could jump in with their support. Or would a SIG be the right avenue? Would Red Hat pay any attention to 3rd party lobbying sites? At least I think I remember such existing, though I cannot at the moment recall any names. /mark
On 03/03/2016 02:58 PM, Mark Milhollan wrote:> On Wed, 2 Mar 2016, Johnny Hughes wrote: >> On 03/02/2016 10:42 AM, Mark Milhollan wrote: > >>> I wish --security was functional > >>> I hope that the lack is not due to >>> the assumed use resulting in it being ignored. >> >> That is not the reason, > >> We do not have enough space on donated mirrors > > Surely the data could be tailored to provide only that which applies to > the current set of RPMs. Do we know that yum will fail if RPMs are > cited in the file but which are not available for install?Whose current set .. your's or the guy that hasn't done an update since 2007? Te problem is, if we say we support the security plugin, then it has to be able to update ANY configuration and all security updates. Let's say that you are on 6.4 right now, there is a security update in 6.5 and 6.6, and there is a bugfix update in 6.7 (current version), you run the security plugin and it says .. no security updates (because the 6.7 update is only a bugfix). You are instead behind and have a security problem .. no, you have to have all or it doesn't work, and it then causes people to think they are OKwhen they are not.> >> the data required for the xml file is not redistributable. > > That does sound like it is being ignored, because you know you can't do > it. > > As things stand. > > (I think you should put all this in an/the FAQ then point people to it, > instead of sending large swaths of the same words yet again, which must > surely be frustrating.) > > But the project could lobby Red Hat for access to the file, whether for > just CentOS (RH has done things just for CentOS before) or for the wider > community of rebuilders. I can't know if this has been attempted, but > it has not been mentioned as having been asked. >One of the things RHEL does that CentOS doesn't do (and has never done) is verify security issues, verify fixes correct those issues and provide assurance that they are fixed. They is why RHEL is a paid product and CentOS is free. <snip> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20160307/5f5e52f0/attachment-0001.sig>