When Will CentOS Publish Errata?

Home » CentOS » When Will CentOS Publish Errata?
CentOS 17 Comments

Hello,

Currently The CentOS project publishes errata on its CentOS Announce mailing list. In order to import this into a package management system (like Katello on The Foreman), one needs to parse the mailing list and convert it into XML before importing it. This is done to some extent on http://cefs.steve-meier.de/ but some more legwork needs to be done before The Foreman can understand the errata like it does natively for RHN.

I have heard rumour that The CentOS project is planning to publish Errata in the same way that Red Hat does, but I haven’t been able to find anything on the Internet about this. Does anybody know if The CentOS Project has indeed declared such intention, and when they plan to do this?

Side Note: Interestingly enough, I’ve noticed that EPEL has started to add errata data to their repositories.

Thanks, David

17 thoughts on - When Will CentOS Publish Errata?

  • David,

    The CentOS team has taken the stance that they do not understand what is required for this, so, they will not be including it under any circumstances.

    I am unable to locate the thread in the archive:
    http://lists.CentOS.org/pipermail/CentOS-devel/2014-September/thread.html

    However, luckily, Gmane archives everything just fine. http://thread.gmane.org/gmane.linux.CentOS.devel/12370/focus375

    In the third reply from KB, he states:
    “ok, so the updateinfo content – we can carry that, where would the data come from ?”

    So it may be possible he doesn’t understand where the Errata is located currently (in the mailing list), so I think someone just needs to step up and do the work for CentOS in incorporating the Errata, but, Johnny handles that and the work he does isn’t documented to the public. So, we’re a little in the dark on where/how he sets up the announce list anyways. But, that’s how it’s always been with the CentOS project, the gears are kept private the product is made public.

    Realistically, it would probably be easier to fork the repositories under a different name, create your own mirrorlist and point back at the mirrors for your RPM sources. Steven Crothers steven.crothers@gmail.com

  • umm, no.

    again, incorrect – spend a bit of time and actually try to workout what the context and data needs to be and what is being requesed.

    third part, again incorrect.

    you are still going to need the updateinfo data…

  • Thanks Steven for bringing this thread to my attention. So it looks like there was already a discussion about this in September, and it ended with two action items.

    1. Write code to automatically put the following into updateinfo.xml
    a. Link to RH web site
    b. List of packages that are updated
    c. CESA, CEBA or CEEA number which flags the type of fix as bug, security or enhancement.

    2. Figure out how and where to store previous errata content.

    The final comment on the thread “Erata in the Repo” was Kevin Strange saying he would look into #1, and also him asking everybody what the best way to do #2 is.

    Does anybody know if Kevin has had any luck with #1? Would it be better if I revived that thread or is it fine to discuss here?

  • Please note a couple of things …

    1. Blatant screen scraping is a violation of the terms of service for RHN .. so where is a SOURCE of information for something like this:

    https://rhn.redhat.com/errata/RHSA-2014-2024.html

    If you read this:

    https://access.redhat.com/help/terms/

    then, one can not just grab all the info on that errata page and distribute it .. which is why we LINK to it and not distribute it currently.

    So, the first issue is that one must find a source for the information that would go into the ‘updateinfo.xml’ file that is always maintained and is available to read and to redistribute.

    2. If someone comes up with a place to get said data, THEN we could properly publish that data in some way.

    Thanks, Johnny Hughes

  • You could subscribe an address, but based on the link to RH’s terms that Johnny posted it may still violate the TOU to redistribute the contents of the messages the bot received.

    –keith

  • Can’t we just ask Red Hat if it’s OK for CentOS to use the data for its updateinfo.xml?
    Is there some official communication channel between the CentOS Project and Red Hat?

  • Sure, but they aren’t likely to let us.

    The purpose of CentOS within the Red Hat ecosystem is explained here:

    http://community.redhat.com/CentOS-faq/

    CentOS is open source, so you can use it however you want and for what ever you are comfortable using it for .. however, giving special dispensation to violate terms of service of RHN to make CentOS more usable than it already is in the enterprise is not high on their priority list.

    They are not taking any action to make it in any way less usable, but they are also not going to do anything to make it easier either.

    What we need is a way to get that info from another place.

    Maybe the oval data, if it has all the required information and if the Terms of Service allow for that.

    Someone in the Community needs to research that and see if it is usable or if there is some other source for the information that can then be modified to create the updateinfo.xml file.

  • Thanks for all that. My contribution was in response to the question “Is there some official communication channel between the CentOS Project and Red Hat?” I should have trimmed more carefully and saved you some keystrokes.

  • Nope. We’re still air-gapped from the RHEL business units. We have lines of communication to other RH community projects, but nothing that would line up with this thread.

  • How do we know if the ToU allow for it? Is there a way to check?
    Whatever we do we have to look at the metadata provided via RHN or Red Hat website in order to make judgments about what the purpose of the change is. What does the CentOS Project currently do for Release Notes?

  • I heard that this is actually how the RHEL errata have been put together, and that it would not be a violation of the ToU to use the info in the emails.

    Can somebody confirm this?

    Sounds to me like this would be the way to go.

  • Well IANAL, but:

    imho red hats “terms of service” on their website are not valid
    , at least in germany (where I happen to live). In germany you can not bind someone to some silly “terms of service”
    by just displaying them on some random website.

    you need to agree to those tos actively somehow (e.g. signing a contract).

    but of course this is IANAL, so you should probably contact some lawyer about this.

    But if I’m right it could at least be possible to create this data in europe.

    kind regards

    Sven

    PS: I guess this discussion should move to the devel list?

    —–BEGIN PGP SIGNATURE—