FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS Development

 
 
LinkBack Thread Tools
 
Old 11-22-2011, 07:55 AM
Johnny Hughes
 
Default moving the CR repo into mainstream release

On 11/21/2011 06:05 PM, Les Mikesell wrote:
> On Mon, Nov 21, 2011 at 5:50 PM, Stephen Walsh <steve@nerdvana.org.au> wrote:
>> On 11/22/2011 10:43 AM, Tom Sorensen wrote:
>>> FSVO risk, sure. Except that upstream recommends this all the time
>>> when troubleshooting customer systesms.
>>
>>
>>> IOW, the risk is exceptionally small.
>>
>> With a nice support contract and an army of willing RH engineers on the
>> other end of a phone, yes, the risk is small.
>
> And you are running the same code...
>
>> For $Johnny_webhost, who takes his daily income from his business, and
>> can't afford the above mentioned support on his rack full of EL boxes
>> (which is why he uses centos), he needs to balance the risk of losing
>> customers due a security incident vs running a full up to date and
>> stable system with a mix of current and upcoming release packages, and
>> all with the knowledge in his head and what he can get from the main
>> centos list (most of which last time I looked appeared to be a
>> conversation about why you should use ubuntu over centos).
>>
>> The Lowest Common Denominator is the one we need to think about here.
>> The end user that wants EL stability and security, but can't afford to
>> spend the money on upstream subscriptions.
>
> The question is whether this person would be better off getting
> security updates that were built post-minor-rev-update or not in a
> default 'yum update'. It's a yes or no question, where recommending
> doing one thing and making the default something else doesn't make a
> lot of sense. With/without the CR approach, the non-security related
> updates are going to come along for the ride, and you will probably
> want them anyway.
>

BUT ... I think that giving the user the choice is certainly preferable.
We have a process that we use to build and test packages, and when we
finish we have what we call a stable and completely QA'ed process.

We offer, at some increased risk (due to less QA), a repo staged updates.

We made this very easy to get ... just run yum install centos-release-cr
if you want it.

But we give the customer the option to take the increase risk or not.

I think this is the RIGHT way to do this.

I know that it means if you do not know how to manage your machine (and
issue a very simple command to get CR) then you don't get it ... but I
still think that the full repo with full QA should be the default.

We can recommend that people go ahead and do CR in the release notes,
but I think it is a mistake to turn it on by default.

If you would rather add it to the MAIN rpeo file (CentOS-Base.repo) and
have it off, then require people to edit that to get it, that is fine by
me too ... but I think a simple command (yum install centos-release-cr)
is much easier than editing the CentOS-Base.repo file anyway.

Then, we make people who want CR happy, they can install it and it works
after install ... and we make the people like Greg happy because he does
not have to do anything to turn it off if he perceives the risk is too
great to have it on.

That way, we can recommend (through the release notes) that people use
it ... but give them the final option.

That's my $0.02

_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel
 
Old 11-22-2011, 08:22 AM
David Hrbáč
 
Default moving the CR repo into mainstream release

Dne 22.11.2011 9:55, Johnny Hughes napsal(a):
> We made this very easy to get ... just run yum install centos-release-cr
> if you want it.
>
> But we give the customer the option to take the increase risk or not.
>
> I think this is the RIGHT way to do this.
Johnny,
CR repo is fine, glad we have it. I'd like it to stay optional. We are
using it on boxes not managed by Spacewalk. Boxes managed by Spacewalk
are not using CR:
- no erratas (we are using errata binding)
- packages from CR are going to be moved into Base/Updates repos, but
Spacewalk server keeps all the downloaded packages

So, CR is good trade-off, full release would be better.
Thanks,
DH
_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel
 
Old 11-22-2011, 01:04 PM
Les Mikesell
 
Default moving the CR repo into mainstream release

On Tue, Nov 22, 2011 at 2:55 AM, Johnny Hughes <johnny@centos.org> wrote:
>>
>> The question is whether this person would be better off getting
>> security updates that were built post-minor-rev-update or not in a
>> default 'yum update'. * It's a yes or no question, where recommending
>> doing one thing and making the default something else doesn't make a
>> lot of sense. * With/without the CR approach, the non-security related
>> updates are going to come along for the ride, and you will probably
>> want them anyway.
>>
>
> BUT ... I think that giving the user the choice is certainly preferable.

You have always had the choice of running 'yum update' or not. Or
running it for specific packages. Or looking at the list it offers
and making the choice then. That's for people who are paying
attention. The question is what should happen if you don't pay
attention and just expect 'yum update' to always install all available
security updates for the life of the major rev like it always had
before, dragging along some other bugfixes at minor releases.

> We offer, at some increased risk (due to less QA), a repo staged updates.

I think the risk factor goes the other way, at least for any machine
that needs updates at all. We just haven't had a well-known exploit
to show it yet.

> We made this very easy to get ... just run yum install centos-release-cr
> if you want it.
>
> But we give the customer the option to take the increase risk or not.

That would be reduce the risk if any security issues are involved.

> I think this is the RIGHT way to do this.

Maybe it would have been from the beginning, but at this point I'd bet
that there are a lot of CentOS installations that haven't updated and
don't know that they have to do something new and different to get
security updates.

> I know that it means if you do not know how to manage your machine (and
> issue a very simple command to get CR) then you don't get it ... but I
> still think that the full repo with full QA should be the default.

How long do you think it is reasonable to go without updates? I'd
call it mostly a matter of luck if you keep running after any
combination of a remote exploit plus a local privilege escalation are
known by anyone - and that has always been just a matter of time.

> Then, we make people who want CR happy, they can install it and it works
> after install ... and we make the people like Greg happy because he does
> not have to do anything to turn it off if he perceives the risk is too
> great to have it on.

If updating is too much of a risk, don't update at all. He's going to
get the one he suggested as a problem as soon as you do a real release
anyway. I don't think he really identified a problem related to having
the minor rev updates come before a new anaconda/iso is available.

--
Les Mikesell
lesmikesell@gmail.com
_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel
 
Old 11-22-2011, 01:29 PM
Johnny Hughes
 
Default moving the CR repo into mainstream release

On 11/22/2011 08:04 AM, Les Mikesell wrote:
> On Tue, Nov 22, 2011 at 2:55 AM, Johnny Hughes <johnny@centos.org> wrote:
>>>
>>> The question is whether this person would be better off getting
>>> security updates that were built post-minor-rev-update or not in a
>>> default 'yum update'. It's a yes or no question, where recommending
>>> doing one thing and making the default something else doesn't make a
>>> lot of sense. With/without the CR approach, the non-security related
>>> updates are going to come along for the ride, and you will probably
>>> want them anyway.
>>>
>>
>> BUT ... I think that giving the user the choice is certainly preferable.
>
> You have always had the choice of running 'yum update' or not. Or
> running it for specific packages. Or looking at the list it offers
> and making the choice then. That's for people who are paying
> attention. The question is what should happen if you don't pay
> attention and just expect 'yum update' to always install all available
> security updates for the life of the major rev like it always had
> before, dragging along some other bugfixes at minor releases.

It still does, when we get the release done. We are not going to leave
the stuff in CR forever. When the release happens, those people get the
same pacakges as the last version of CR. So they will get the updates too.

>
>> We offer, at some increased risk (due to less QA), a repo staged updates.
>
> I think the risk factor goes the other way, at least for any machine
> that needs updates at all. We just haven't had a well-known exploit
> to show it yet.
>

I don't know what to tell you ... it all comes down to choices. If you
can't wait to get updates, Buy RHEL. If you don't want RHEL, you decide
what YOU think is the riskiest situation. if you do nothing, centos
works exactly like it does now.

Also, don't forget that we have made MAJOR changes to our build system
and we are building things much more efficiently now than before.

We have also found and fixed several issues like these:

https://bugzilla.redhat.com/show_bug.cgi?id=641739

https://bugzilla.redhat.com/show_bug.cgi?id=743229

Which caused us many bad packages.

>> We made this very easy to get ... just run yum install centos-release-cr
>> if you want it.
>>
>> But we give the customer the option to take the increase risk or not.
>
> That would be reduce the risk if any security issues are involved.

You have the option to get it if you want it or you can wait. If an
update breaks your system because of a QA issue and causes you downtime,
that is also a risk. The issue is, you (the user) get to decide .. not
Johnny or Les, but the user.

>> I think this is the RIGHT way to do this.
>
> Maybe it would have been from the beginning, but at this point I'd bet
> that there are a lot of CentOS installations that haven't updated and
> don't know that they have to do something new and different to get
> security updates.

They do not HAVE to do anything new. CR is an option thing that has a
limited time scope. They will still get updates when we release the
point release.

And judge us by the 6.2 release. It should happen soon and we now have
finalized all our scripting for the new build system for 6.x. Of
course, new issues will mean we need new scripts, but I think we have it
working well now.

We are also expecting several very large build machines from 2 vary
large sponsors .. I can't name them, but everyone knows them.

>
>> I know that it means if you do not know how to manage your machine (and
>> issue a very simple command to get CR) then you don't get it ... but I
>> still think that the full repo with full QA should be the default.
>
> How long do you think it is reasonable to go without updates? I'd
> call it mostly a matter of luck if you keep running after any
> combination of a remote exploit plus a local privilege escalation are
> known by anyone - and that has always been just a matter of time.
>

You are in complete control of this ... we get done when we get done.
If that is not fast enough for you, you must use something else. RHEL
is available.

>> Then, we make people who want CR happy, they can install it and it works
>> after install ... and we make the people like Greg happy because he does
>> not have to do anything to turn it off if he perceives the risk is too
>> great to have it on.
>
> If updating is too much of a risk, don't update at all. He's going to
> get the one he suggested as a problem as soon as you do a real release
> anyway. I don't think he really identified a problem related to having
> the minor rev updates come before a new anaconda/iso is available.
>

Not necessarily. We have FIXED many issues from CR .. also even if they
are not fixed, they are called out in bugs.centos.org ... like this one:

http://bugs.centos.org/view.php?id=5254

Easy enough to fix if you are expecting it ... someone in CR found it
(also upstream).

The point is ... use CR or don't ... choice is yours. Use CentOS or
RHEL ... that choice is also yours. If you want SLA level update times,
you need an SLA level Enterprise Linux.

_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel
 
Old 11-22-2011, 01:39 PM
Johnny Hughes
 
Default moving the CR repo into mainstream release

On 11/22/2011 08:29 AM, Johnny Hughes wrote:

....

Oh, and another thing. We are automating many processes in the QA
system too...

https://gitorious.org/+centos-testing

Everyone can see tests and people who request to can create tests to
help us check for things that we find are problems.

This process is getting better for 6.x

In case you have not noticed, all the updates for c5.x and c4.x have
been happening within 24 hours (the within a point release updates).

Things are getting better, not worse.

_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel
 
Old 11-22-2011, 01:43 PM
Gilbert Sebenste
 
Default moving the CR repo into mainstream release

On Tue, 22 Nov 2011, Johnny Hughes wrote:

> Things are getting better, not worse.

Noted and appreciated. Thank you, Johnny, and the CentOS team, for
working hard on this, in spite of upstream making it more
difficult to do these quickly!

************************************************** *****************************
Gilbert Sebenste ********
(My opinions only!) ******
Staff Meteorologist, Northern Illinois University ****
E-mail: sebenste@weather.admin.niu.edu ***
web: http://weather.admin.niu.edu **
Twitter: http://www.twitter.com/NIU_Weather **
Facebook: http://www.facebook.com/niu.weather *
************************************************** *****************************
_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel
 
Old 11-22-2011, 06:24 PM
Kevin Stange
 
Default moving the CR repo into mainstream release

On 11/22/2011 08:04 AM, Les Mikesell wrote:
> On Tue, Nov 22, 2011 at 2:55 AM, Johnny Hughes <johnny@centos.org> wrote:
>>>
>>> The question is whether this person would be better off getting
>>> security updates that were built post-minor-rev-update or not in a
>>> default 'yum update'. It's a yes or no question, where recommending
>>> doing one thing and making the default something else doesn't make a
>>> lot of sense. With/without the CR approach, the non-security related
>>> updates are going to come along for the ride, and you will probably
>>> want them anyway.
>>>
>>
>> BUT ... I think that giving the user the choice is certainly preferable.
>
> You have always had the choice of running 'yum update' or not. Or
> running it for specific packages. Or looking at the list it offers
> and making the choice then. That's for people who are paying
> attention. The question is what should happen if you don't pay
> attention and just expect 'yum update' to always install all available
> security updates for the life of the major rev like it always had
> before, dragging along some other bugfixes at minor releases.

I've always thought if you are aware enough that you are selective about
updates and concerned about breakage of your dependencies (be they ABI,
API, or otherwise), you'd review the release notes of every package
before updating anything and stage updates into a testing environment
before moving them to production, regardless of whether the updates come
via CR.

In that case, if the CR is rolled into a mainline continuous
distribution by default, you'd still be selectively choosing your
updates based on what they do, rather than blindly installing them and
assuming they won't break everything.

If the user is too novice to care or know better, he is going to blindly
do this either before or after the full QA process. In my experience so
far with the CR, there have been no significant QA problems with
packages. Changes upstream that break compatibility will arrive either
way for most people and not rolling them continuously just delays
security fixes and the compatibility breakage until an arbitrary future
time, which really doesn't save anyone any headaches.

Not only that, but even within a release of EL5, there have been updates
which had serious operational consequences, such as the openssl
renegotiation patch, which changed application behavior in occasionally
incompatible ways.

All other things equal, I'd always rather err on the side of a system
service going offline due to a dependency break than exploited due to an
unpatched security vulnerability.

--
Kevin Stange
Chief Technology Officer
Steadfast Networks
http://steadfast.net
Phone: 312-602-2689 ext. 203 | Fax: 312-602-2688 | Cell: 312-320-5867

_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel
 
Old 11-22-2011, 07:00 PM
Marko Bevc
 
Default moving the CR repo into mainstream release

Well my 5c...nothing beeing wrong with CR repo but does it not upstream
provider(RH) deploys updates as they come? so if you put them as you
compile them in the main Repo it would be the same? (maybe just chech
the order...)



Regards,
Marko
On Tue, 22 Nov 2011,
Les Mikesell wrote:



On Tue, Nov 22, 2011 at 2:55 AM, Johnny Hughes <johnny@centos.org> wrote:


The question is whether this person would be better off getting
security updates that were built post-minor-rev-update or not in a
default 'yum update'. * It's a yes or no question, where recommending
doing one thing and making the default something else doesn't make a
lot of sense. * With/without the CR approach, the non-security related
updates are going to come along for the ride, and you will probably
want them anyway.



BUT ... I think that giving the user the choice is certainly preferable.


You have always had the choice of running 'yum update' or not. Or
running it for specific packages. Or looking at the list it offers
and making the choice then. That's for people who are paying
attention. The question is what should happen if you don't pay
attention and just expect 'yum update' to always install all available
security updates for the life of the major rev like it always had
before, dragging along some other bugfixes at minor releases.


We offer, at some increased risk (due to less QA), a repo staged updates.


I think the risk factor goes the other way, at least for any machine
that needs updates at all. We just haven't had a well-known exploit
to show it yet.


We made this very easy to get ... just run yum install centos-release-cr
if you want it.

But we give the customer the option to take the increase risk or not.


That would be reduce the risk if any security issues are involved.


I think this is the RIGHT way to do this.


Maybe it would have been from the beginning, but at this point I'd bet
that there are a lot of CentOS installations that haven't updated and
don't know that they have to do something new and different to get
security updates.


I know that it means if you do not know how to manage your machine (and
issue a very simple command to get CR) then you don't get it ... but I
still think that the full repo with full QA should be the default.


How long do you think it is reasonable to go without updates? I'd
call it mostly a matter of luck if you keep running after any
combination of a remote exploit plus a local privilege escalation are
known by anyone - and that has always been just a matter of time.


Then, we make people who want CR happy, they can install it and it works
after install ... and we make the people like Greg happy because he does
not have to do anything to turn it off if he perceives the risk is too
great to have it on.


If updating is too much of a risk, don't update at all. He's going to
get the one he suggested as a problem as soon as you do a real release
anyway. I don't think he really identified a problem related to having
the minor rev updates come before a new anaconda/iso is available.



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel
 
Old 11-22-2011, 07:56 PM
Ljubomir Ljubojevic
 
Default moving the CR repo into mainstream release

Vreme: 11/22/2011 09:00 PM, Marko Bevc piše:
> Well my 5c...nothing beeing wrong with CR repo but does it not upstream
> provider(RH) deploys updates as they come? so if you put them as you
> compile them in the main Repo it would be the same? (maybe just chech
> the order...)

2c -> 5c Inflation already? ;-)

You probably haven't read the whole thread. They are discussing possible
changes in ABI, API... that upstream performs at point releases 5.6,
5.7, ... compared to Continuous Repo without expected breakage at
point-release release time.

You better pedal back 35+ messages and track down particular point of
discussion before you respond, if you do not understand what I wrote
just now.


--

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel
 
Old 11-22-2011, 08:16 PM
Marko Bevc
 
Default moving the CR repo into mainstream release

Sorry...must have missed all that mails Well as said before it is
always your choice to run yum update - and that way we can preserve
original procedure of RH distro


Regards,
Marko

On Tue, 22 Nov 2011, Ljubomir Ljubojevic wrote:


Vreme: 11/22/2011 09:00 PM, Marko Bevc piše:

Well my 5c...nothing beeing wrong with CR repo but does it not upstream
provider(RH) deploys updates as they come? so if you put them as you
compile them in the main Repo it would be the same? (maybe just chech
the order...)


2c -> 5c Inflation already? ;-)

You probably haven't read the whole thread. They are discussing possible
changes in ABI, API... that upstream performs at point releases 5.6,
5.7, ... compared to Continuous Repo without expected breakage at
point-release release time.

You better pedal back 35+ messages and track down particular point of
discussion before you respond, if you do not understand what I wrote
just now.




--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel
 

Thread Tools




All times are GMT. The time now is 10:26 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org