How to monitor security updates in 8-Stream and 9-Stream

[pedrodaniel10]

Hello everyone. I need to track all security updates in 8-Stream and 9-Stream to then notify users about it so they can take action.
In CentOS 7 it's easy to track as there are security advisories.

For Stream, right now I'm compiling all the RHSA that point to RHEL 8 and 9 and then check in the repositories [1] for that specific release on branch c8s and c9 respectively.

I have a few questions:
- I want to know what is the difference between branch c8s and c8 on the git repositories.
- Is the package version that fix the vulnerability shown in the RHSA the same shown in the commits of each branch
- Is there a better way to track security fixes in CentOS Stream? (Good to note, given that CentOS is upstream, the time I take to notify between the fix and the RHSA release, is quite big)


[1] https://git.centos.org/

Many Thanks in advance.

[TrevorH]

There are no security guarantees in CentOS Stream. There are no announcements. Some updates have lagged for nearly 3 months behind the equivalent updates for RHEL.

If security (or stability or just about anything else!) is your guideline then switch to one of the other clones of RHEL, do not use Stream.

[TrevorH]

- I want to know what is the difference between branch c8s and c8 on the git repositories.

The c8 branch tracks RHEL 8 - this is the one that the clones rebuild from. The c8s branch is for Stream.

- Is the package version that fix the vulnerability shown in the RHSA the same shown in the commits of each branch

For RHEL and clones, yes. For Stream, no, Stream no longer uses the same version number for updates that RHEL does.