Delays in CentOS 7 packaging upstream RHEL patched packages

Support for security such as Firewalls and securing linux
W1bble
Posts: 3
Joined: 2019/08/27 10:33:42

Delays in CentOS 7 packaging upstream RHEL patched packages

Post by W1bble » 2019/08/27 15:48:42

Hi,

There currently seem to be a number of patched packages that RedHat have published that haven't had corresponding CentOS 7 packages build/released yet.

Does anybody know what the delay is in building/publishing these updated packages?

Thanks

W1bble

Some examples include:

Latest CentOS package RHEL Fixed Package Errata link
python-2.7.5-80.el7_6 0:2.7.5-86.el7 https://access.redhat.com/errata/RHSA-2019:2030
python-libs-2.7.5-80.el7_6 0:2.7.5-86.el7 https://access.redhat.com/errata/RHSA-2019:2030
bind-license-9.9.4-74.el7_6.2 32:9.11.4-9.P2.el7 https://access.redhat.com/errata/RHSA-2019:2057
binutils-2.27-34.base.el7 0:2.27-41.base.el7 https://access.redhat.com/errata/RHSA-2019:2075
systemd-219-62.el7_6.9 0:219-67.el7 https://access.redhat.com/errata/RHSA-2019:2091
systemd-libs-219-62.el7_6.9 0:219-67.el7 https://access.redhat.com/errata/RHSA-2019:2091
glibc-2.17-260.el7_6.6 0:2.17-292.el7 https://access.redhat.com/errata/RHSA-2019:2118
glibc-common-2.17-260.el7_6.6 0:2.17-292.el7 https://access.redhat.com/errata/RHSA-2019:2118
libssh2-1.4.3-12.el7_6.3 0:1.8.0-3.el7 https://access.redhat.com/errata/RHSA-2019:2136
procps-ng-3.3.10-23.el7 0:3.3.10-26.el7 https://access.redhat.com/errata/RHSA-2019:2189
nspr-4.19.0-1.el7_5 0:4.21.0-1.el7 https://access.redhat.com/errata/RHSA-2019:2237
nss-3.36.0-7.1.el7_6 0:3.44.0-4.el7 https://access.redhat.com/errata/RHSA-2019:2237
nss-softokn-3.36.0-5.el7_5 0:3.44.0-5.el7 https://access.redhat.com/errata/RHSA-2019:2237
nss-softokn-freebl-3.36.0-5.el7_5 0:3.44.0-5.el7 https://access.redhat.com/errata/RHSA-2019:2237
nss-sysinit-3.36.0-7.1.el7_6 0:3.44.0-4.el7 https://access.redhat.com/errata/RHSA-2019:2237
nss-tools-3.36.0-7.1.el7_6 0:3.44.0-4.el7 https://access.redhat.com/errata/RHSA-2019:2237
nss-util-3.36.0-1.1.el7_6 0:3.44.0-3.el7 https://access.redhat.com/errata/RHSA-2019:2237
openssl-libs-1.0.2k-16.el7_6.1 1:1.0.2k-19.el7 https://access.redhat.com/errata/RHSA-2019:2304

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Delays in CentOS 7 packaging upstream RHEL patched packages

Post by avij » 2019/08/27 16:03:55

These are probably part of RHEL 7.7, and will be included in CentOS 7.7 when it becomes available. The packages will make their first appearance in the CR repository, but the packages aren't there yet.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Delays in CentOS 7 packaging upstream RHEL patched packages

Post by TrevorH » 2019/08/27 16:17:42

s/probably//

These are part of 7.7 so will be released first to CR and then GA once the iso images are created.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

W1bble
Posts: 3
Joined: 2019/08/27 10:33:42

Re: Delays in CentOS 7 packaging upstream RHEL patched packages

Post by W1bble » 2019/08/28 08:27:27

Hi,

Thanks for this. The current CentOS FAQ for "How long after Red Hat publishes a fix does it take for CentOS to publish a fix" (https://wiki.centos.org/FAQ/General#hea ... f1f7038ccb) - suggested that security fixes will be published between 24 and 72 hours after the upstream fixes are released. Is this FAQ now wrong or have I misunderstood?

Whilst I can see why BugFixes and Enhancements will be released in slower time with more testing the examples I provided in my original post are all security fixes.

Thanks

W1bble

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Delays in CentOS 7 packaging upstream RHEL patched packages

Post by avij » 2019/08/28 09:29:07

Maybe you should read the CR link I posted for background. The examples you posted are a small fraction of 7.7 updates, and all the 7.7 updates will need to be published at the same time. There are 408 updates (producing 2678 binary rpms) in 7.7.

W1bble
Posts: 3
Joined: 2019/08/27 10:33:42

Re: Delays in CentOS 7 packaging upstream RHEL patched packages

Post by W1bble » 2019/08/29 08:08:41

Hi,

I did look at the CR link and followed the instructions for the CR repo but there are no packages in that repo yet:

[root@test /]# yum repolist
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
* base: anorien.csc.warwick.ac.uk
* extras: www.mirrorservice.org
* updates: mirrors.clouvider.net
repo id repo name status
base/7/x86_64 CentOS-7 - Base 10019
extras/7/x86_64 CentOS-7 - Extras 435
updates/7/x86_64 CentOS-7 - Updates 2500
repolist: 12954
[root@test /]# yum check-update
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
* base: anorien.csc.warwick.ac.uk
* extras: www.mirrorservice.org
* updates: mirrors.clouvider.net
[root@test /]# yum-config-manager --enable cr
Loaded plugins: fastestmirror, ovl
=============================================================================== repo: cr ===============================================================================
[cr]
async = True
bandwidth = 0
base_persistdir = /var/lib/yum/repos/x86_64/7
baseurl = http://mirror.centos.org/centos/7/cr/x86_64/
cache = 0
cachedir = /var/cache/yum/x86_64/7/cr
check_config_file_age = True
compare_providers_priority = 80
cost = 1000
deltarpm_metadata_percentage = 100
deltarpm_percentage =
enabled = 1
enablegroups = True
exclude =
failovermethod = priority
ftp_disable_epsv = False
gpgcadir = /var/lib/yum/repos/x86_64/7/cr/gpgcadir
gpgcakey =
gpgcheck = True
gpgdir = /var/lib/yum/repos/x86_64/7/cr/gpgdir
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
hdrdir = /var/cache/yum/x86_64/7/cr/headers
http_caching = all
includepkgs =
ip_resolve =
keepalive = True
keepcache = False
mddownloadpolicy = sqlite
mdpolicy = group:small
mediaid =
metadata_expire = 21600
metadata_expire_filter = read-only:present
metalink =
minrate = 0
mirrorlist =
mirrorlist_expire = 86400
name = CentOS-7 - cr
old_base_cache_dir =
password =
persistdir = /var/lib/yum/repos/x86_64/7/cr
pkgdir = /var/cache/yum/x86_64/7/cr/packages
proxy = False
proxy_dict =
proxy_password =
proxy_username =
repo_gpgcheck = False
retries = 10
skip_if_unavailable = False
ssl_check_cert_permissions = True
sslcacert =
sslclientcert =
sslclientkey =
sslverify = True
throttle = 0
timeout = 30.0
ui_id = cr/7/x86_64
ui_repoid_vars = releasever,
basearch
username =

[root@test /]# yum repolist
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
* base: anorien.csc.warwick.ac.uk
* extras: www.mirrorservice.org
* updates: mirrors.clouvider.net
cr | 3.3 kB 00:00:00
cr/7/x86_64/primary_db | 1.1 kB 00:00:01
repo id repo name status
base/7/x86_64 CentOS-7 - Base 10019
cr/7/x86_64 CentOS-7 - cr 0
extras/7/x86_64 CentOS-7 - Extras 435
updates/7/x86_64 CentOS-7 - Updates 2500
repolist: 12954
[root@test /]# yum check-update
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
* base: anorien.csc.warwick.ac.uk
* extras: www.mirrorservice.org
* updates: mirrors.clouvider.net
[root@test /]#

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Delays in CentOS 7 packaging upstream RHEL patched packages

Post by TrevorH » 2019/08/29 08:37:21

You know it takes quite a long time to build 2,700 rpms? Even signing them takes hours. And they have to be tested, checked to see if they are correct etc. And since they are all released together, they have to be built together and in the correct order so that the resulting CentOS packages are all dependent on the correct things and linked against the correct things. That makes it pretty much impossible to cherrypick individual packages out of that mess for early release.

Redhat have the luxury of not announcing when their point release comes out. CentOS does not. CentOS gets no advance notification or access to the new point release - we get access to the SRPMs via git.centos.org when Redhat press the button to release their version. And since the SRPMs are all released together, they have to be built together and in the correct order.

There will be announcement emails sent to the centos-announce-cr list when it goes to CR. There will be an announcement email sent to centos-announce when 7.7 goes GA.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Delays in CentOS 7 packaging upstream RHEL patched packages

Post by avij » 2019/08/29 09:05:17

W1bble wrote:
2019/08/29 08:08:41
I did look at the CR link and followed the instructions for the CR repo but there are no packages in that repo yet:
Right, exactly as I said earlier. I used the future tense on purpose.

mwitschke
Posts: 1
Joined: 2019/08/29 23:53:06

Re: Delays in CentOS 7 packaging upstream RHEL patched packages

Post by mwitschke » 2019/08/30 00:18:06

Thank you for your response. Are you saying that CentOS cannot release any security updates while a point release is being prepared because the complete build infrastructure is busy building new packages? I just want to make sure I understood this correctly. If so, are there any metrics from past releases how long this period lasts? Is the beginning of such a period being announced somewhere?


Thanks,
Michael

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Delays in CentOS 7 packaging upstream RHEL patched packages

Post by TrevorH » 2019/08/30 00:54:08

When a new RHEL point release comes out, all those updates that make up the point release have to be built. They have to be built in the correct order - sometimes they refuse to build with the older version of some other package. Other times they build against the older one but then aren't correct because of that and have to be rebuilt again after the prereq has been rebuilt too.

If a point release contains a particularly severe security fix or a subsequent severe RHEL fix comes out before the equivalent CentOS version is released then I believe that severe package gets rebuilt against the current point release and released first. That doesn't happen often (I cannot remember when the last time was).

There are numbers in the wikipedia article but those measure from the release of RHEL until the release of the CentOS version and all its isos etc. In real life, the packages are rebuilt and tested and then those packages are signed and sent to the CR repo. Once they are in CR then you can enable that repo and update an installed system to it. Usually that takes a week or two. Then the isos are built, tested and released and that takes a while but it's that release that the wikipedia article tracks.

And please note, everyone who replies on these forums is a volunteer and does not speak for the project.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply