Release Dates

Story: Circling The WagonsTotal Replies: 30
Author Content
hughesjr

Aug 21, 2009
9:28 PM EDT
Release SciLinux CentOS 4.0 2005-04-21 2005-03-02 4.1 2005-08-06 2005-06-12 4.2 2005-12-03 2005-10-13 4.3 2006-05-08 2006-03-21 4.4 2006-10-10 2006-08-30 4.5 2007-06-26 2007-05-18 4.6 2008-03-10 2007-12-16 4.7 2008-09-03 2008-09-13 4.8 2009-07-21 2009-08-21

5.0 2007-05-07 2007-04-12 5.1 2008-01-16 2007-12-02 5.2 2008-06-28 2008-06-24 5.3 2009-03-19 2009-04-01

Above are the release dates of all CentOS and Scientific Linux releases for all 4 and 5 versions. Not sure how CentOS that bad in comparison.

jdixon

Aug 21, 2009
9:43 PM EDT
> Above are the release dates...

I don't believe it's the release dates of the versions that Caitlyn is concerned about, but rather the release dates of security updates.

Others have voiced the same or similar concerns.

Personally, I use Slackware, so I don't have any stake in the matter.
caitlyn

Aug 21, 2009
9:45 PM EDT
jdixon is absolutely right. Release dates of versions are irrelevant and not a big issue. The problem with CentOS is that they don't get security patches out on a timely basis consistently. That leaves know security vulnerabilities wide open which is totally unacceptable for an "enterprise" distribution. In contrast Scientific Linux gets patches out promptly.

hughesjr, your information may be accurate but it has nothing to do with what I wrote about.
Steven_Rosenber

Aug 21, 2009
10:13 PM EDT
I bet Red Hat is loving the fact that all this publicity on how CentOS can't get patches out in time means that RHEL actually offers something that you can't get in CentOS ...
caitlyn

Aug 21, 2009
10:18 PM EDT
Possibly, Steven, but CentOS isn't the only free clone of Red Hat. I've made sure to prominently mention Scientific Linux as an alternative.

I would add that Red Hat support is first class. Sometimes you do truly get what you paid for.

I'll also add that I would have let this issue drop two weeks ago. CentOS supporters keep coming after me and sooner or later I had to respond.
Steven_Rosenber

Aug 21, 2009
11:51 PM EDT
I've known about Scientific Linux a long time, but even though it's an RHEL clone, for some reason I thought that it was so dedicated to scientific/research pursuits that it wasn't as suited to regular enterprise use as CentOS.

Obviously I was wrong ...

Both CentOS and Scientific Linux are very worthwhile projects that provide a real service to those of us who want to either figure out RHEL or just use it on a small scale.

My hosting provider uses CentOS, and I have no complaints ...
bigg

Aug 22, 2009
7:59 AM EDT
> I bet Red Hat is loving the fact that all this publicity on how CentOS can't get patches out in time means that RHEL actually offers something that you can't get in CentOS ...

Honestly, I view CentOS and RHEL as being in different markets. They share the same source code, but then so do all Linux distributions, with varying version numbers. For mission critical stuff, you really do need the support. A company like Goldman Sachs is unlikely to move to CentOS.
caitlyn

Aug 22, 2009
1:10 PM EDT
I agree with you, bigg, in most cases

OTOH, a large enterprise may use something like CentOS on development systems that aren't mission critical provided security is in place. Failing that either clever admins will apply Red Hat patches to CentOS boxes (not an issue at all) or migrate to something else.

A small business may start with CentOS and as they grow decide that they want and can afford the support.

Different markets? To a point, yes, absolutely, but there is some overlap.
hughesjr

Aug 23, 2009
5:38 PM EDT
It is the CentOS policy to push packages within 72 hours of the upstream release on normal updates (it takes time to build and test the packages).

On the point releases (which are the release dates posted above), the goal is to have the release done within a month of upstream.

CentOS is used as the the base OS to build the following distributions: Yellow Dog Linux, TrixBox, and Rocks Clusters.

CentOS is the base OS on 9 of the top 500 supercomputers in the world. The following profiles at http://www.top500.org/ are running on CentOS: 9240, 9219, 9887, 9847, 9257, 9897, 9570, 9893, and 9259. These Clusters are installed and maintained all over the world by Sun, Dell, SKIF/T-Platforms (Russia), IBM, Raytheon, and SAIC. The largest of these machines was the #1 machine in the top 500 when it was created, and is currently number 8 in the world .. Ranger at UT Austin (installed by Sun):

http://blogs.sun.com/jonathan/entry/lone_ranger

Much of the Amazon EC2 cloud runs on CentOS.

We have 2 million unique machines doing updates every point release. CentOS is the Linux server platform of choice at several thousand server providers worldwide.

CentOS is currently relevant in the Enterprise regardless of what Caitlyn thinks.

The CentOS project can certainly do a better job of releasing packages faster .. we are taking that for action, and if you notice, in the last 3 weeks we have released updates within our goal statements with no exceptions. You will also note that all branches are absolutely current with RHEL releases, including all updates.
caitlyn

Aug 23, 2009
6:45 PM EDT
More circling of the wagons and putting words in my mouth from a defensive member of the CentOS team. I never said CentOS wasn't relevant in the enterprise. It wasn't long ago that I was recommending it and deploying it in the enterprise. Things have changed.

I really wonder how many new deployments in the enterprise you're going to have after airing your dirty laundry in public. It raises real questions about CentOS management, doesn't it? It revealed what most of us have known all along but chose to ignore: it's a small project run by a few volunteers. People will be rethinking future use of CentOS for a while until they are reassured.

You can't change a year of erratic and often very late delivery of patches in a week or three. You have a year of problems to undo and had patches come as much as two months late. If next year you can say you've delivered within 72 hours for a solid year with either no or few exceptions I would certainly modify my opinion. You've taken steps and that is positive. You need to build a track record.

Stop circling the wagons and being defensive. Continue delivering positive results and you won't get any negative press from me or anyone else.
hughesjr

Aug 24, 2009
4:50 PM EDT
This is a "Direct Quote":

CentOS has to prove they can get patches out on a timely basis to be taken seriously as an enterprise product.

My point is that CentOS is "Taken Seriously" right now ... and that you have failed to prove that it is NOT being "Taken Seriously".

You are entitled to your opinion ... however just because YOU do not take CentOS seriously does not mean it is not taken seriously by others in the enterprise.
softwarejanitor

Aug 24, 2009
6:34 PM EDT
@hughesjr I think it would be fair to say that CentOS needs to prove that they can get patches out on a timely basis if they want to continue to be taken seriously as an enterprise product.
azerthoth

Aug 24, 2009
11:54 PM EDT
Interesting points, there are two related (to each other, not to CentOS) distros that prove the opposite sides here. One Distro proves that you dont have to do it 100% right as long as you do it often, while the other proves that you dont have to do it often as long as you do it right.

The difference is, both of these other distros has a plethora of developers. This is the main difference here, that in large projects you can absorb the loss of one fairly easily, while in smaller the loss of one can reduce the abilities of the dev team 25%. This is where some of the trust issues seem to stem from.
caitlyn

Aug 25, 2009
1:29 AM EDT
Quoting:CentOS has to prove they can get patches out on a timely basis to be taken seriously as an enterprise product.


@hughesjr: Let me add an additional qualifier to the above since, as written, you have a valid point. The rewritten version:

Given the recent concerns about security patches and how the distro is managed, CentOS has to prove they can get patches out on a timely basis to be taken seriously as an enterprise product from here on out.

There, that's better, and really hard to dispute as well.
vainrveenr

Aug 25, 2009
2:29 AM EDT
Quoting:Given the recent concerns about security patches and how the distro is managed, CentOS has to prove they can get patches out on a timely basis to be taken seriously as an enterprise product from here on out.
Then there is also what is termed the 'Infinite monkey theorem', http://en.wikipedia.org/wiki/Infinite_monkey_theorem Literally, it goes that "a monkey hitting keys at random on a typewriter keyboard for an infinite amount of time will almost surely type a given text, such as the complete works of William Shakespeare." Basically a quantitative raw-numbers, brute-force type of approach.

Figuratively as applied here, it could indicate that given a fantastically high number of CentOS patches coming out one after the other an a regular basis.... major security concerns in CentOS will almost certainly be resolved on a timely basis. Obviously, this is an idealized goal of quantity (mere brute force) over quality, and is thus vastly far away from being any sort of an achievable goal for the small team of CentOS maintainers.
Quoting:You can't change a year of erratic and often very late delivery of patches in a week or three. You have a year of problems to undo and had patches come as much as two months late. If next year you can say you've delivered within 72 hours for a solid year with either no or few exceptions I would certainly modify my opinion. You've taken steps and that is positive. You need to build a track record.
Indeed, a consistent and qualitative record of due diligence is needed here rather than a very few yearly bursts of cranked-out CentOS patches doled out together with might be considered PR-type spin -- the latter, as the highly reactionary Circling The Wagons Syndrome.

caitlyn

Aug 25, 2009
2:37 AM EDT
@vainrveenr: All good points. I will also point out that not all Red Hat errata are necessarily security patches. Most are, but not all. Even those that are would not all be classified as severe or critical. Finally, even Red Hat is late now and again, which is why I said "few exceptions" rather than no exceptions. Also, when discussing exceptions, if a minor flaw is patched a day or two later nobody is going to make a big issue out of it. Being late with critical patches frequently will draw the ire of many, not just me.

I take no pleasure out of writing something negative about a Linux distribution. None at all. However, if I am to have any credibility at all I have to be honest about what I comment on and what I report, both positive and negative.
hughesjr

Aug 25, 2009
9:58 AM EDT
Red Hat releases these updates in 2 different ways:

1. An updated set (or point release). This is done 2-4 times a year and is where the .2 and .3 in 5.2 and 5.3 come from. These update sets contain hundreds of packages and the packages have to be compiled in a fairly precise order to get the correct results.

This type of update normally takes CentOS at least a month to do because we may have to rebuild many of the packages more than one time to get the libraries to link correctly. Red Hat releases both security updates and bugfix updates in these "update sets".

It is not easy to build a security update that happens chronologically in the middle of this update set because it will depend on things built earlier in the update set.

No one tells CentOS the order that the packages were built or integrated into the build system for these update sets, we have to experimentally determine that by making our best guesses and building the updates. We then test them against the upstream binaries, spin-rinse-repeat as necessary to get it right The problem is, just because they built an updated package, they may not have rolled it into their build system at that time. If we get the order wrong, we can have things linked to the wrong libraries, etc. This is main reason we can't just grab a security update from the update set and just build it and push it.

It is also the reason we can't just build a security update released 2 days after the point release (until we release the point release) since that update is built upstream against packages they have released in the update set.

These update sets can take up to a month (or maybe longer) to do. CentOS generally completes these updates faster than any other rebuild group, and the above release dates are a comparison of when these releases happen.

Red Hat does a beta for these releases for 4-5 months before they release them. The comparison dates above show when CentOS and Scientific Linux finished each of these.

2. The second type of update is the ones released between updates sets. These are generally released one or two at a time and are usually easier to build and to test as the build system is not also in flux during their release. These are the types of updates CentOS has a goal to release within 72 hours. Sometimes it takes longer.

===== @caitlyn: You don't make any distinction as to which update type you are talking about. If it is during the update set, we may have to build the packages in several stages, and redo them several times to get it right. If it is the 2nd type of update, I agree that they should be built and released quickly.

Steven_Rosenber

Aug 25, 2009
10:52 AM EDT
There wouldn't be such a ruckus over the way the CentOS project is managed and the manner in which the team releases security patches if there wasn't an acute need and desire for a distribution that does what CentOS does, namely releases a free clone of a high-quality product that is not free (RHEL).

I can believe that millions are using it, that Amazon subsists on it.

My question to those who know more than me: What would it take to make, say, Debian, an equally attractive product for the enterprise server?

I can also see the Ubuntu LTS taking some of this share.
caitlyn

Aug 25, 2009
3:37 PM EDT
@hughesjr: I think you missed something in my post earlier. I said that delayed dot releases are fine so long as the previous release is properly supported and secured. Red Hat understands that not all of their customers will do each dot release. Some ISVs (Oracle immediately comes to mind) will support an earlier dot release but not the latest. So long as all the patches to the previous release are posted then all is well.

Dot releases do two things: 1. Compile all the security patches since the last release, and 2. Add bugfixes not related to security.

So... we now agree that patches (what you call the second type) should be released quickly. Do that on a regular basis for a while and I will drop my complaints about CentOS security. Fair enough?
hughesjr

Aug 25, 2009
4:50 PM EDT
@caitlyn: Sure. Keep an eye on the updates ... I think you will like what you see.
Steven_Rosenber

Aug 25, 2009
8:20 PM EDT
As a wakeup call, this could make the project much better going forward ...
jdixon

Aug 25, 2009
8:49 PM EDT
> Keep an eye on the updates ... I think you will like what you see.

Everyone hopes so. No one here wishes CentOS ill, at least AFAIK.
caitlyn

Aug 25, 2009
8:52 PM EDT
@jdixon: Absolutely. I wish CentOS well and I would like to see them succeed with no further drama.
gus3

Aug 25, 2009
10:16 PM EDT
Quoting:I would like to see them succeed with no further drama.
But... but... drama is good for PR!
rijelkentaurus

Aug 26, 2009
11:22 AM EDT
"There is no such thing as bad publicity except your own obituary." Brendan Behan
jdixon

Aug 26, 2009
11:41 AM EDT
> But... but... drama is good for PR!

I can see it now: Tune in tomorrow for our next exciting installment of "As the Distro Turns".
softwarejanitor

Aug 26, 2009
11:54 AM EDT
@jdixon So you are saying that tomorrow we find out that CentOS is the illegitimate love child of Red Hat?
gus3

Aug 26, 2009
11:57 AM EDT
@rijelkentaurus:

What a day to be posting that quote.
jdixon

Aug 26, 2009
12:51 PM EDT
> So you are saying that tomorrow we find out that CentOS is the illegitimate love child of Red Hat?

Well, we always knew that. The question has always been who the other parent is. :)
softwarejanitor

Aug 26, 2009
2:10 PM EDT
@jdixon Sounds like a good story line...
gus3

Aug 26, 2009
2:14 PM EDT
Nah, they already did that one on "South Park."

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!