Brian Stinson
2021-Jul-28 19:42 UTC
[CentOS] It's been six days since CVD-2021-33909 was patched in RHEL, what's the holdup for Stream 8?
Carl summarized really well how code moves through RHEL and CentOS Stream, and we?re working on making sure we publish a build that has made it through the usual set of RHEL tests. -326 is a possible candidate here. Think about CentOS Stream as the development location for the next-minor release of RHEL.??I?d like to highlight some of the general points related to this discussion: -?There are certain classes of CVE that we handle differently from normal development work: https://centos.org/distro-faq/#q4-how-will-cves-be-handled-in-centos-stream <https://centos.org/distro-faq/#q4-how-will-cves-be-handled-in-centos-stream> - Since these fixes need to go into RHEL first, getting them into the development location (CentOS Stream) represents a separate set of work.? - Our intent is to get CVE fixes like this into Stream as soon as they?re available within the guidelines referenced in the FAQ In the past updates have gone out quickly, we haven?t artificially held up pushes and we will not do so going forward. We don?t, though, make any forecasts or guarantees about turnaround time, this is to make sure we deliver those fixes correctly.? I hope that as we continue rolling out new workflows in CentOS Stream 9, we will be able to provide more direct feedback on patch status at a source code level. Just as a reminder you can view and participate in development happening on Gitlab: https://gitlab.com/redhat/centos-stream/ <https://gitlab.com/redhat/centos-stream/> --Brian
Carl George
2021-Jul-29 03:18 UTC
[CentOS] It's been six days since CVD-2021-33909 was patched in RHEL, what's the holdup for Stream 8?
kernel-4.18.0-326.el8 is being pushed to the mirrors now. On Wed, Jul 28, 2021 at 2:42 PM Brian Stinson <bstinson at redhat.com> wrote:> > Carl summarized really well how code moves through RHEL and CentOS > Stream, and we?re working on making sure we publish a build that has > made it through the usual set of RHEL tests. -326 is a possible > candidate here. > Think about CentOS Stream as the development location for the next-minor > release of RHEL. I?d like to highlight some of the general points > related to this discussion: > - There are certain classes of CVE that we handle differently from > normal development work: > https://centos.org/distro-faq/#q4-how-will-cves-be-handled-in-centos-stream > <https://centos.org/distro-faq/#q4-how-will-cves-be-handled-in-centos-stream> > - Since these fixes need to go into RHEL first, getting them into the > development location (CentOS Stream) represents a separate set of work. > - Our intent is to get CVE fixes like this into Stream as soon as > they?re available within the guidelines referenced in the FAQ > In the past updates have gone out quickly, we haven?t artificially held > up pushes and we will not do so going forward. We don?t, though, make > any forecasts or guarantees about turnaround time, this is to make sure > we deliver those fixes correctly. > I hope that as we continue rolling out new workflows in CentOS Stream 9, > we will be able to provide more direct feedback on patch status at a > source code level. Just as a reminder you can view and participate in > development happening on Gitlab: > https://gitlab.com/redhat/centos-stream/ > <https://gitlab.com/redhat/centos-stream/> > --Brian > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos-- Carl George