On Sat, 22 Nov 2014 17:10:40 -0600
"John R. Dennison" <jrd at gerdesas.com> wrote:
> On Sat, Nov 22, 2014 at 11:41:17PM +0100, Gabriele Pohl wrote:
> >
> > I don't like to spend time in creating ugly workarounds..
> > and therefore would highly appreciate if the CentOS-Developers
> > will add the data to the yum repositories.
> > Then I can use Munin to monitor the pending security packages
> > also for CentOS as now only for my RHEL machines.
>
> It's not that simple. Please have a look at the list archives in the
> past couple months where this was addressed. The threads were either
> here or on the centos-devel mailing list.
thanks to Nux! who posted the following link in
the first reply of this thread:
----------------------------
Begin forwarded message:
Date: Sat, 22 Nov 2014 12:44:57 +0000 (GMT)
From: Nux! <nux at li.nux.ro>
To: CentOS mailing list <centos at centos.org>
Subject: Re: [CentOS] yum-plugin-security
This plugin does not work on CentOS, at least not yet, there were previous
discussions. e.g.
http://centos-devel.1051824.n5.nabble.com/CentOS-devel-yum-plugin-security-and-shellshock-td5710031.html
----------------------------
I read this thread and also another, which is refered to therein:
http://lists.centos.org/pipermail/centos-devel/2014-September/011893.html
> If memory serves the primary factor that is holding this up is a space
> requirements issue; the threads can shed more light on it, however.
To tell the truth, as a person who is not familiar with the
internal structures and procedures of tree building and
maintenance of the repositories, I don't really understand
why it should be so difficult to handle a "security-update" flag
for the update packages, but I have to believe the experts,
who make statements on this topic.
Here is what I picked up when reading the thread from devel list:
1. For a valid approach data for all packages over
the complete history of the major version is needed.
2. At the time the data is only sent to the announce mailing list
and it will need a big effort with also manual work to
collect all the data back from there.
3. "it would add significantly to the size required to
mirror CentOS and require a redesign of how we do trees completely (we
currently only push the latest tree for each live major version)." (Johnny
Hughes)
4. The developers fear that the yum-plugin-security functions
may seduce people to only install the security relevant packages,
which can cause problems.
5. The tools used by scientific linux repo maintainers,
who support a security classification,
are availabe under free software license.
https://cdcvs.fnal.gov/redmine/projects/python-updateinfo
My personal view is represented by the mails of Kevin Stange in this thread.
And I still hope that the issue will be solved by
integrating the "security update" flag into the
CentOS repositories in the future.
so far and thanks for your replies to all contributors in this thread,
Gabriele