Will there be Errata?

Good morning! I am wondering if anyone knows if there will be plans for ERRATA to be included in the Rocky distro(s).

Errata is SO important, and the way CentOS has handled it (by not handling it) has been a sore point for many of us for years. Errata to be included into the likes of Spacewalk or Katello is only done courtesy of third-party tools (ie “CEFS”), that scrape Centos email lists for errata info. It’s kind of a hack, it’s messy, and of course, CentOS as we know it is going away…

RedHat of course has errata, and I see (after playing internally) that even Oracle Linuxx has it. Which is cool. I am hoping Rocky includes it, as that would be a HUGE win and draw for customers.

some background info for reference: The Story of Errata for CentOS

3 Likes

Seconding this – errata would be a huge win. I’m not sure as to the resources that would need to be devoted to maintaining it on the repository side and whatnot, but it’s definitely a consideration for me in what I migrate to from Cent.

1 Like

+1 for errata in the official repositories. It will be one of the features to check when choosing our next distro.

CentOS does/did not do this. Looking through mail archives, it appears that at least part of the answer to that was because they didn’t verify CVE closure.

If we were to publish errata, I think we would probably have to verify CVE closure. We’d also have to actually scrape the errata from the mailing lists and publish it to updateinfo.xml. We would need a team stood up to dedicate to doing this. If the community has interest in it, then it’s something we could certainly consider. Basically, I think our position on this is going to be: if you want published errata, then rally volunteers around you to form a team and let us know and we can discuss.

There’s more info here: The Story of Errata for CentOS

This link also walks through how you can obtain errata for yourself with a variety of methods.

Yes I am aware CentOS does not do this. And errata today is based on email lists that will eventually die.

Having errata for me is a deal breaker. If there’s no errata, I will have to drop Rocky Linux in favor of (probably) Oracle Linux.

I wish I had the skillset to volunteer for this, sadly I do not. So the best I can do is put my request out there that this is really important. Thanks for listening!

@leigh there is a yum repository (maintained by the community) which provides the errata information.
https://updateinfo.cefs.steve-meier.de/

If you check the FAQ in his website (https://cefs.steve-meier.de/) the maintainer of this repo says:

Will you support CentOS 8-Stream?
No. If it gets off the ground, I may support [Rocky Linux](https://rockylinux.org/).

As the maintainer seems to be open to support Rocky Linux, maybe we can contact him to ask if he would contribute the errata info or the required tools to obtain the errata to the rocky linux project? Does it sound reasonable?

Suits me. Ping him and see what he says.

Though, again, one concern is that we don’t at present have a team dedicated toward validating CVE closure.

@pescobar, @leigh

I was already watching this thread :eyes:

Happy to help where I can.

@smeier I have contacted you right 1min ago :smiley: Thanks for your offer to help!

I have not had to build ERRATA in quite a few years, however to my knowledge Steve was still using CentOS mailing lists, and not just a Red Hat OVAL file. I suspect even if he is willing to support Rocky Linux we would need to have our own mail lists to replace the ones from CentOS.

It seems unlikely for CentOS to continue email lists specific to Errata with CentOS Streams not being downstream.

1 Like

The mailing list is not enough since the release of CentOS 8.

For Rocky Linux, we would have to follow a similar process as CentOS for sending out the errata information in the first place. Unfortunately, this process is opaque (at least to me).

For each new RPM built, one would have to determine why this build is done.
There are essentially four reasons: Bug fix, Security fix, Enhancement or new release.

In the CentOS 7 days it was fairly easy to match the CentOS RPMs to the Red Hat originals.
With AppStream, this has changed as build numbers and hashes now form part of the package name, making this a bit of a guessing game at times.

A good first starting point would be a “push log”, an easily parsable list (maybe JSON) which includes the name of the source RPM as well as the name of the resulting RPM(s) and when they were built/released.

Kind regards,
Steve

Yes exactly one of my concerns. We cannot depend on the existing centos mailing list because as of December it becomes a dead-end.

I am thrilled however to see RL community members taking a serious look at this item. Thank you all, I look forward to whatever errata solution eventually (hopefully) gets put in place…!