Can someone describe the usage and audience for the doc? I want to make sure I understand it's purpose a bit more.

Audience would be CentOS users. I originally wrote it to try and demystify how security updates flow into Stream after an IRC conversation around the polkit vulnerability, as I was having trouble keeping it straight in my head. I think in general I'd like this to be something that can help shed light into a somewhat complex process, set expectations and help users better understand how things work.

OK. I think this might shed some insight into how the proverbial sausage is made, but I don't think it's going to do anything to help set expectations. If the general question being asked is "when will I have a CVE fix?", this isn't going to answer that. It will just tell them how we build and deliver RPMs.

If we publish this as a blog post, we need to either up-level it to cover how updates in general are published or we need to stick with CVEs and ensure they understand it describes "how" and not "when". We'd do well to link to the official FAQ on the topic, and reiterate there is no SLA on any kind of fix. That is the only expectation the project can rationally set.

I found some time at last to work on this, and have significantly reworked and expanded this document; the latest version is on HackMD at the same link.

I reviewed the latest version and I think it looks pretty good. I don't have any objections to it. Thank you for updating it!

Let's get consensus on this either via email or the next Board meeting so we can get this resolved. But I think all of us who have read it are good with it.

This looks good to me as well.

I wonder if it would be worth including at least a brief comment about testing.

I wonder if it would be worth including at least a brief comment about testing.

I thought about this, but I have very little visibility into how that actually works, and didn't feel comfortable speculating. If someone wants to contribute a paragraph on it, feel free to edit the doc or comment on it.

@bookwar do you think you could add to this document with testing?

I've added a reference to @bookwar's openinfra talk, which I think covers this nicely for now (and we could consider doing a followup article on testing specifically, which I think would be useful). Given that there are no objections, I'm going to start drafting this up on the blog.

Published: https://blog.centos.org/2022/09/how-updates-work-in-centos/

Closed / September Board meeting