I thought that CentOS Stream 9 was the place where development for RHEL happens, except for security patches, which go to RHEL first.
But this Reddit user pointed out that the CentOS Stream 9 kernel has all the CVE patches that are now in RHEL. I checked the changelog, and it appears to be the case.
Stream 9 is NOT behind RHEL when it comes to security in the kernel. I haven’t checked other packages yet, but the kernel has been my main concern.
If this continues, it’s makes a very good case for adopting CentOS Stream.
Did policies and procedures in CentOS Stream change? I think this is something worth noting.
Only embargoed security fixes go to RHEL first, flowing then into CentOS Stream once the embargo is lifted. Everything else (including non-embargoed security fixes) happens in CentOS Stream first.
Our policy from the start has been that CVE fixes with an Important or Critical Severity and anything Embargoed is released in RHEL first, and then the code is pulled into Stream. Other CVE fixes are free to land in Stream at any time alongside regular features and bugs.
From the list you mentioned from reddit, there are tons of Moderate and Low, but at least one Important: CVE-2022-0185 (probably more). From Brian’s post, it makes sense to see Moderate and Low making it to CS first, but the only way then I can see the Important ones to make it to CS first is when the fix is first done in RHEL and the engineer applies it to CS9 as well, and it appears in the CS9 mirror first simply because the RHEL QA is a longer process.
It’s not a question of “less QA”. It’s a question of contract obligations for shipping fixes and dealing with embargos. Public projects cannot do the latter easily, and the former can make things complex for releasing fixes “in order”.
