Comparing Fedora & CentOS Security Fix Lag

How does Fedora’s security patch lag compare to CentOS? The CentOS website states that security patches from RHEL take 24-72 hours to land in CentOS. But CentOS is a downstream, non-profit clone of RHEL.

Fedora is technically upstream from RHEL, but RHEL isn’t exactly downstream from Fedora:

  • Red Hat removes and modifies a lot of software from the Fedora release before it becomes a RHEL release.
  • RHEL freezes the kernel and most software versions, backporting fixes for 10 years. Whereas Fedora releases are EoL after 13 months.
  • RHEL obfuscates patches to frustrate clones like Oracle and SUSE.

Does Fedora wait for opaque security errata from RHEL releases like CentOS, or is there a more cooperative relationship?

2 Likes

Hi @indolering! Welcome to Fedora!

I asked on the -devel mailing list and received some replies:

https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/XBZ63KP5TRUIO2T6XAWBP6BY4AMS5LCR/#ODPFVZHO5LR46VIZOCUZ2LSNRJGOQISD

Perhaps follow up there with any specific questions you have? (This is more an end-user focused forum, so not all devs will hang out here)

1 Like

I wouldn’t call SUSE a clone, apart from sharing RPM as a packaging format their distributions have been separate (openSUSE and SLES) with a history dating back from the 1990s.

2 Likes

Answer: it’s a trick question! Fixes originate from any number of places (upstream sources, other distros, CVE notes, etc) and circulate a non-linear fashion before finally hitting your machine.

It would be great if someone was willing to do the work to compare CVEs against distro errata and testing to see when things are actually fixed. If nothing else, it would foster some healthy competition. But comparing distros as different as CentOS and Fedora introduces lots of confounding variables: Linus’ aversion to marking changes as security fixes, the low assurance nature of most Linux distros, and the selectivity of what Red Hat includes from Fedora.

It’s a bit easier to compare RHEL clones. My thoughts are that paying Red Hat money means you get stability and speedier updates. CentOS Stream won’t get some fixes as fast as RHEL due to non-disclosure agreements.

That’s why the whole CentOS Stream “controversy” is stupid: Red Hat and RHEL clones (FB, AWS, Google, Oracle, VMWare, etc) deliver some patches to their own customers before they find their way into CentOS. This meant that CentOS is already a synchronization point for patches that were (fingers crossed) close enough to RHEL to be binary compatible. So they decided to just formalize the arraignment and switch CentOS’s nominal designation from being “downstream” to being “upstream”.

2 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.