Both Rocky 8 and 9 cloud-kernel sig repos have not been updated since Sept '24, leaving numerous systems vulnerable. Do we know who can fix this repo to ensure its up to date and secure?
When using cloud-kernel sig repo, the default behaviour is to exclude=kernel* on the base repo. So people running dnf updates will get other updates and think they are secure, however as cloud-kernel is not updated since Sept '24 it will not actually be secure.
Thanks for the question and apologies for the long delay on this. The Cloud SIG has been going through a lot of process changes and I have just bluntly dropped the ball on getting new kernels out. I do have some new-ish ones, but we’re still working on rebasing for the newest versions (and new ones just came out this morning from upstream). It’s a bit of a moving target that’s hard to hit.
I haven’t communicated enough about the process/changes here and again, I appreciate your (and everyone’s) patience. The good news is that most of the changes in the SIG/Cloud kernel have been upstreamed into the CentOS Stream (and thus Rocky) kernels, but that obviously doesn’t help or matter when the recommended config–as you note–disables getting kernels from elsewhere.
I’ll have the new kernels pushed out this evening, if all my final testing looks good (which it should be).