CentOS update gap

A 5 star hangout for overworked and underpaid system admins.
whoop
Posts: 8
Joined: 2020/10/17 13:25:06

CentOS update gap

Post by whoop » 2020/10/31 22:32:06

Hi,
I have noticed there is a significant "update gap" when the maintainers of CentOS are busy working on a new point release.

Just to be clear: This is not a compaint, not at all!!!

The "update gap" I am talking about is not the time gap between RHEL and CentOS but rather the lack of updates for a given release when the maintainers are (extra) hard at work on a new CentOS point release.

I know that if you want bleeding edge stuff on your machine(s), CentOS is not the right distro to choose but that is not what I am talking about either.

It's just, well, the lack of updates at certain times; in combination with the fact that a big portion of linux servers running on the internet are CentOS powered.
The chance that a security hole could pop it's head up in one of these gaps is quite significant if you take the size of the gap into account.

I have read allot of posts about this topic, but it never really gave me a clear understanding about the situation.

*Do the maintainers still release patches for critical or high severity security issues during these update gaps?
*Do (most) people use the cr repo (and would this mitigate the chance of not having fixes for security holes installed)?
*Something else?
*Nothing?

Interested in hearing information about this.

Thanks

User avatar
KernelOops
Posts: 428
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: CentOS update gap

Post by KernelOops » 2020/10/31 22:53:57

I don't really know if CentOS was affected by the IBM/RedHat takeover/merger, but the time frame fits. Maybe resources have been moved out of CentOS?

I hear many complaints about RHEL 8 causing issues and delays for the CentOS 8 release... then again for the 8.1 release and again for the 8.2 release... and the broken emails (about updated rpm packages)... and the changes in tooling...

Maybe someone at RedHat is tired of supporting CentOS? I don't know.

What I do see, is significant delays in CentOS...
--
R.I.P. CentOS :cry:
--

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CentOS update gap

Post by TrevorH » 2020/11/01 01:00:55

When a new point release drops there are anything up to around 1000 new SRPMs to build and those then produce something like 3000 binary rpms. Those all have to be built in the right order so that things that are dependent on other changed packages pick those up. It takes time to do that and when those are done and tested, they go into the CR repo. That CR repo is effectively the new point release but early. That's why it's there.

If Red Hat now release subsequent updates on top of RHEL 7.9 then those cannot be built and released for CentOS 7.8 since they may also depend on things that are part of the as yet unreleased CentOS 7.9. So those are held up too but are also built and are also in the CR repo now.

Once CR is populated then things move on to other bits needed for the release like does the installer work, does it need debranding, how do you get all the packages to fit on a 4.3GB DVD and that takes more time still. But you don't have to wait for that as you can install 7.8 and yum update from CR to 7.9 already.

CentOS 8 works differently in that it won't let you even build a release tree that could be used for CR unless it also spits out iso images so by the time something can be produced that could be used for CR, it's only one step further to build the isos. There is no CR for 8.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: CentOS update gap

Post by jlehtone » 2020/11/01 20:13:51

whoop wrote:
2020/10/31 22:32:06
*Do the maintainers still release patches for critical or high severity security issues during these update gaps?
*Do (most) people use the cr repo (and would this mitigate the chance of not having fixes for security holes installed)?
The "gap" is from the moment Red Hat releases a new (point) version to when (at least) CentOS CR is populated (or full release for 8).
In fact, it is probably a bit longer, because the last public updates for RHEL are most likely clearly before next RHEL version.

Red Hat does release patches for the old version of RHEL, but only as part of RHEL EOS -- behind paywall. Therefore, those are not available to CentOS maintainers (even if they were critical severity).
whoop wrote:
2020/10/31 22:32:06
It's just, well, the lack of updates at certain times; in combination with the fact that a big portion of linux servers running on the internet are CentOS powered.
The chance that a security hole could pop it's head up in one of these gaps is quite significant if you take the size of the gap into account.
Whoever runs CentOS servers must have done their risk assessment. They have concluded the "free of charge" is better for their needs than the alternatives.
Whenever a critical issue shows up, you do an another risk assessment; either accept the risk or shut down the services until patches are available.


IMHO, one gets more with CentOS than what pays for.

User avatar
SecCon
Posts: 25
Joined: 2020/10/26 11:37:31
Location: Sweden

Re: CentOS update gap

Post by SecCon » 2020/11/02 12:53:24

jlehtone wrote:
2020/11/01 20:13:51
Whoever runs CentOS servers must have done their risk assessment. They have concluded the "free of charge" is better for their needs than the alternatives.
Or we use a server maintaining/virtualization software that recommend CentOS as Host. As I do.
Windows SysOp - Linux wannabe > CentOS newb.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: CentOS update gap

Post by jlehtone » 2020/11/02 15:58:24

CentOS aims to be 100% compatible with RHEL. If software works in CentOS, then it should work in RHEL too.
(That was refreshing, one does usually stress that software for RHEL works in CentOS too.)

Since the platforms are practically identical, the "ball" is back in the risk management's corner.

User avatar
KernelOops
Posts: 428
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: CentOS update gap

Post by KernelOops » 2020/11/04 19:03:05

About the delayed updates, I noticed that the devs are working on CentOS 7.9, which will probably get released within 2020:
https://wiki.centos.org/About/Building_7

Unfortunately, CentOS 8 is still not a priority to anyone, since there has been no movement:
https://wiki.centos.org/About/Building_8.x

I am worried, that these significant delays are due to an impending shutdown of the CentOS project. I'm just speculating based on the facts that CentOS 8 has no real announcement list of monthly updates, significant delays to release anything and the total lack of communication from centos.org itself.

I hope I'm wrong and if that is the case, then maybe someone from the project cares to post something about the future of CentOS 8. If I'm right, then the earlier they tell us centos is dead the better... so we can prepare our move to another distro.
--
R.I.P. CentOS :cry:
--

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: CentOS update gap

Post by jlehtone » 2020/11/04 23:23:32

KernelOops wrote:
2020/11/04 19:03:05
Unfortunately, CentOS 8 is still not a priority to anyone, since there has been no movement
What movement there could be now? The 8.2 is already released (that page says correctly: "Done") and 8.3 cannot become a topic before RHEL 8.3 appears.

Mike_Rochefort
Posts: 215
Joined: 2016/03/16 02:34:19

Re: CentOS update gap

Post by Mike_Rochefort » 2020/11/05 01:27:39

jlehtone wrote:
2020/11/04 23:23:32
What movement there could be now? The 8.2 is already released (that page says correctly: "Done") and 8.3 cannot become a topic before RHEL 8.3 appears.
If I were to take a guess, sources for 8.3 should be arriving sometime over the next week or so. I just got my RHEL 8.3 packages available yesterday for my workstation, so that page will likely be updated soon.

And also, CentOS Stream is a thing so CentOS 8 can hardly be labeled as “inactive”. Package rebuilds for mainline have been pretty timely post minor release.

Cheers,
Mike
Solution Architect @RedHat | RHCE
Former SysAdmin @BlueSkyStudios and @Pixar
Feature animation and VFX enthusiast
--
Report CentOS Stream 8 bugs: https://da.gd/c8s-bugs
Report CentOS Stream 9 bugs: https://da.gd/c9s-bugs

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CentOS update gap

Post by TrevorH » 2020/11/05 02:31:47

The 8.3 commits have already hit git.centos.org.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply