How does Fedora’s security patch lag compare to CentOS? The CentOS website states that security patches from RHEL take 24-72 hours to land in CentOS. But CentOS is a downstream, non-profit clone of RHEL.
Fedora is technically upstream from RHEL, but RHEL isn’t exactly downstream from Fedora:
Red Hat removes and modifies a lot of software from the Fedora release before it becomes a RHEL release.
RHEL freezes the kernel and most software versions, backporting fixes for 10 years. Whereas Fedora releases are EoL after 13 months.
Answer: it’s a trick question! Fixes originate from any number of places (upstream sources, other distros, CVE notes, etc) and circulate a non-linear fashion before finally hitting your machine.
It would be great if someone was willing to do the work to compare CVEs against distro errata and testing to see when things are actually fixed. If nothing else, it would foster some healthy competition. But comparing distros as different as CentOS and Fedora introduces lots of confounding variables: Linus’ aversion to marking changes as security fixes, the low assurance nature of most Linux distros, and the selectivity of what Red Hat includes from Fedora.
It’s a bit easier to compare RHEL clones. My thoughts are that paying Red Hat money means you get stability and speedier updates. CentOS Stream won’t get some fixes as fast as RHEL due to non-disclosure agreements.
That’s why the whole CentOS Stream “controversy” is stupid: Red Hat and RHEL clones (FB, AWS, Google, Oracle, VMWare, etc) deliver some patches to their own customers before they find their way into CentOS. This meant that CentOS is already a synchronization point for patches that were (fingers crossed) close enough to RHEL to be binary compatible. So they decided to just formalize the arraignment and switch CentOS’s nominal designation from being “downstream” to being “upstream”.