Is CentOS Stream 9 now getting security patches before RHEL?

I thought that CentOS Stream 9 was the place where development for RHEL happens, except for security patches, which go to RHEL first.

But this Reddit user pointed out that the CentOS Stream 9 kernel has all the CVE patches that are now in RHEL. I checked the changelog, and it appears to be the case.

Stream 9 is NOT behind RHEL when it comes to security in the kernel. I haven’t checked other packages yet, but the kernel has been my main concern.

If this continues, it’s makes a very good case for adopting CentOS Stream.

Did policies and procedures in CentOS Stream change? I think this is something worth noting.

The Reddit post:

The CentOS Stream 9 kernel changelog:

Fedora != Centos.

You might be better off asking on a Centos forum?


1 Like

Only embargoed security fixes go to RHEL first, flowing then into CentOS Stream once the embargo is lifted. Everything else (including non-embargoed security fixes) happens in CentOS Stream first.

1 Like

Our policy from the start has been that CVE fixes with an Important or Critical Severity and anything Embargoed is released in RHEL first, and then the code is pulled into Stream. Other CVE fixes are free to land in Stream at any time alongside regular features and bugs.

1 Like

Well, it’s looking pretty good nowadays.

1 Like

The centos category here is for CentOS. If you’d prefer to avoid it, you can mute the category.

1 Like

Despite some, um, rumors to the contrary, the entire point of CentOS Stream really, genuinely is to open up RHEL development.


It is nice to have everything right there in Github.

1 Like

s/GitHub/GitLab :wink:

This was one of the big reasons for the move.

From the list you mentioned from reddit, there are tons of Moderate and Low, but at least one Important: CVE-2022-0185 (probably more). From Brian’s post, it makes sense to see Moderate and Low making it to CS first, but the only way then I can see the Important ones to make it to CS first is when the fix is first done in RHEL and the engineer applies it to CS9 as well, and it appears in the CS9 mirror first simply because the RHEL QA is a longer process.

1 Like

Thanks for the information. I’m OK getting the Important fixes with less QA than RHEL.

It’s not a question of “less QA”. It’s a question of contract obligations for shipping fixes and dealing with embargos. Public projects cannot do the latter easily, and the former can make things complex for releasing fixes “in order”.