CentOS 9 security support level

Support for security such as Firewalls and securing linux
Post Reply
proski
Posts: 2
Joined: 2022/02/17 17:49:34

CentOS 9 security support level

Post by proski » 2022/02/17 18:15:49

I installed CentOS Stream 9 a week ago and I'm surprised by the lack of updates. For comparison, my Fedora 35 systems get updates almost every day. What's more concerning is that I see security announcements for older CentOS versions, but CentOS Stream 9 is not even mentioned in those announcements despite apparently being affected.
For instance, a Thunderbird issue was announced for CentOS 7 in https://lists.centos.org/pipermail/cent ... 73558.html with the fixed package being thunderbird-91.6.0-1.el7
CentOS Stream 9 still has thunderbird-91.5.0-3.el9
I see that thunderbird-91.6.0-1.el9 has been built in Koji, but it's not clear when it would become available to the users via dnf upgrade.

If security support for CentOS Stream 9 is missing or incomplete, please make it very clear on the site. Maybe it's obvious for the old time CentOS users, but it wasn't obvious to me. I saw a lot of messaging about CentOS Linux 8 support expiring and the need to migrate to CentOS Stream, so I assumed that CentOS Stream 9 was ready to use.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CentOS 9 security support level

Post by TrevorH » 2022/02/17 19:16:24

It's a beta of a beta distro, there are no guarantees about anything. It took RH about 3 weeks to patch CVE-2022-0185 in the Stream 8 kernel and the reply on the mailing list from a RH'er was that there were no guarantees about CVE fixes and there would be no timecale.

It's not fit for production use and will not be until RHEL 9.0 comes out later this year.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

proski
Posts: 2
Joined: 2022/02/17 17:49:34

Re: CentOS 9 security support level

Post by proski » 2022/02/17 19:48:45

Thank you for the quick reply! I'm glad I asked!
That explains so much, except the unfortunate lack of messaging expected from a distribution that positions itself between Fedora and RHEL. I mean, if I download Fedora Beta, I know it's a beta version and I don't expect security updates until the release.
Look for yourself: https://centos.org/stream9/
On one hand, "next major release" sounds a bit suspicious, although it's not that uncommon to see that language for fully supported products.
The EOL in 2027 without "BOL", on the other hand, seems to imply that the product is supported.
That concludes my experiment with CentOS for now.

Post Reply