Worried about Rocky Linux not updating packages promptly

Since Rocky Linux 8.4 was released, I was checking how long it would take for Rocky Linux to update itself after CentOS 8 had updates. For example, When checking CentOS 8 for updates [ http://centos.les.net/8/BaseOS/x86_64/os/Packages/?C=M;O=D ] , I see some updates happened at least a few days ago and Rocky Linux still hasn’t had any updates [ http://distro.ibiblio.org/rocky/8.4/BaseOS/x86_64/os/Packages/ ] . This is making me [and I am sure other people] worried about how promptly Rocky Linux will be updating its packages compared to other clones. [Especially once CentOS 8 is gone before the end of the year]

Not sure if this is relevant to your situation or not, but I had a similar concern, then noticed that the issue (in my case) was with the mirror I was using not having updated in some time.

Once I pointed my Katello server directly at the repos at Index of /pub/rocky/, I immediately got the package updates I was looking for.

2 Likes

Hey there -

We hear the worry, and are working on making the process more transparent. In short, we will build updates as soon as they are available, and have been testing the best way to get these out in a mostly-automated but still safe and secure fashion.

I am confident we can keep most if not all the information publicly accessible so anyone that wants to can easily follow along and keep track without having to understand the intricacies of Koji, MBS, etc!

The processes are semi-dynamic as we figure out the best way to deliver updates to production as fast as possible, as safely as possible! In addition, Security Eratta, as well as mailing lists, are on their way. Just a few more ways to keep up to date and be on top of updates.

Lastly, thank you for asking the question. Accountability and transparency is really important to us, so keep the questions coming!

Welcome to Rocky Linux!

4 Likes

I had a similar situation like @jacraig this morning. Kept attempting to connect to 40+ mirrors to update rsyslog but couldn’t find it. I guess some of the issues are being caused by the maintainers of the repos not running the reposync often enough for changes to be found.

1 Like

@neil – That is fantastic news re Security Errata! Will that be distributed natively in the repos, a la upstream and https://updateinfo.cefs.steve-meier.de ? It would be fantastic, if so, since that would allow for smoother integration into Katello / Spacewalk without the need for extra scripts.

Indeed! And, unless @mustafa yells really really loud … maybe a public-facing API, too :slight_smile:

1 Like

I say again: fantastic! You folks are awesome. My team and I are really excited and enthusiastic about this community and all that has been accomplished already.

Tens of thousands of higher education students, faculty, and staff at the large research University where I’m employed, and where Enterprise Linux is heavily used, are already beginning to enjoy incalculable benefits thanks to your efforts.

4 Likes

This is something we’re trying to address too – where mirrors are becoming stale and/or not syncing on a proper interval. We pushed a set of updates within the span of a week and some of our mirrors still hadn’t synced. Not really sure why. Either way, we’re looking into how to address this and is WIP.

1 Like

It seems rocky linux in not updating in my instance, it is the case or only me.
if i update CentOs 8 instance there will alwayas some packages is updating
while put the same command in Rocky dnf update, no any update is shown?

I still think that if we have updates on CentOs on Rocky will also have that, is that true?

Thanks

When RHEL releases (sources of) updates, then Rocky, Alma, and CentOS Linux start to build. How long it takes for each of them depends on their build systems. Yes, all three can be expected to release equivalent updates.

However, this thread has discussed a different bottleneck: mirrors. Once each project has built new packages, they sync to their mirrors. Mirrors of Rocky had some issues in the Summer.

Overall, RHEL has not released many updates lately because their development is currently focused on the next point update (now in public beta stage).

Hi,
I had been using Fedora workstation for years and due to the upgrade from 33 to 34 bricking the OS, I evaluated Alma and Rocky Linux. And decided on Rocky :slight_smile:
It is a huge relief to me to not have to worry every 6 months about whether an upgrade will fail.
I am very happy that Rocky Linux is available and today I am installing it as my main and only desktop workstation. Thank you very much for creating it :slight_smile:
I am not a Linux or server administrator (just a retired engineer) and I do understand the concern about delayed updates, but I do not understand how much of a concern this is.
To this end I would like to ask:
How much will delays make an RL workstation insecure? (I realize this may depend on many factors so maybe it is a difficult or impossible question to answer)
Should I wait and not use RL workstation until the update process is ironed out? (I do realize RL is new and this may be a massive amount of work)
Thanks ahead of time…

It really depends on the nature of each vulnerability. If it is in feature that you don’t use, then you have nothing to worry. If one has to be already logged in in order to exploit a vulnerability, then you have only your users to watch for. (Users are usually the weakest point anyway, “clicking links”, etc.)

If you look at version history of CentOS Linux CentOS - Wikipedia you will notice that they too have had some noticeable delays compared to RHEL point releases. Despite those the model of CentOS Linux has been so popular that Rocky and Alma did spawn to as successors. Had they, if the inherent risks of the model were substantial?

Hello. We usually release updates within 24 to 48 hours when released upstream (RHEL). We have a handy page that helps us identify if we’ve missing something or version discrepancies here. To @jlehtone’s point, there hasn’t been that many updates being released because the 8.5 beta was released, so there is less incentive for them to maintain some things in 8.4 if it’s not necessary. That, and mirrors can sometimes be an issue. We’re getting a better handle on it as time goes on though.

If you find that you’re not receiving an update whereas a RHEL machine or a CentOS machine has received it, please let us know with an example and the mirror (if possible) that you’re connecting to and we can investigate.

1 Like

jlehtone,
Thanks for your thoughts.
I was not aware of the Centos Wikipedia link and that helps me understand things, so that is very helpful…

Hi nazunalika,
Thank you for your info and the link to the RHEL 8 <—> Rocky 8 Package Comparison.