For urgent security updates to Rocky Linux, ahead of updates in RHEL, would you prefer they be “default” (in the normal repositories) or require manual intervention to install (in a separate repository)?
- Default
- Manual intervention
0
voters
All else being equal (risks, etc.) default but if there’s anything questionable then manual is better
I think it makes sense to keep the defaults exactly the way they are so that Rocky remains 100% bug for bug compatible with RHEL and then have another optional repository for early access to security updates.
One could ask what is the difference?
Assuming that Rocky does release a hotfix version of package X before Red Hat:
- In “Default” the package is placed into Rocky’s normal repos and everyone, who runs
dnf up, does get it - In “Manual” the package is placed into additional “hotfixes” repository and all who have already defined that repo will get the update with
dnf up
The manual part (for user) is the initial definition of the hotfixes repository, similar to dnf install epel-release. It’s use remains a bit manual only if one disables the repo and thus has to --enablerepo=hotf to opt-in for its content.
In that sense there is almost no difference in usage whether interim package is in same or different repo.
However, for those who do not want to install such packages the separate repo is much more convenient.
This is why I personally voted for default, since you could release kernel-5.14.0-611.49.1.el9_7.x86_64 as a minor version update kernel-5.14.0-611.49.2.el9_7.x86_64 by changing 49.1 to 49.2 and you’ll get the new kernel. The fix was in kernel-5.14.0-611.54.1.el9_7.x86_64 so it would then automatically be replaced later with the official 1:1 kernel. Similar for other packages too just introducing a very minor release.
Then everyone would get it, and not have to think about “did I enable that extra hotfix repository or not”. I get the feeling though it will more likely end up as an additional hotfix repository though as I think more people are swinging that way than the default repos.
I would agree that practically there is almost no difference in usage. Maybe it’s more of a philosophical argument in that having having the interim package technically strays from RHEL compatibility (however minor), and having it enabled by default takes it one step further by adding this opinion by default into Rocky.
This is the reason I voted for “Manual”. Gives people the choice.
I selected “Manual” also, to allow it to be the choice of the user. Introducing the updates as default would make Rocky not 1:1 with RHEL and could possibly introduce issues. It is very simple for the user to use the set-enabled option if they want to allow this repo normally on their system.