Tell HN: Red Hat reject AlmaLinux CVE patch to CentOS Stream: no customer demand
18 points| profwalkstr | 2 years ago | reply
Link to CentOS Stream Gitlab of the AlmaLinux CVE patch commit: https://gitlab.com/redhat/centos-stream/rpms/iperf3/-/merge_requests/5
Discussion going on Reddit: https://www.reddit.com/r/AlmaLinux/comments/1544w8b/red_hat_refuses_almas_cve_patches_to_centos/
[+] [-] dralley|2 years ago|reply
This is what the initial response said:
> Thanks for the contribution. At this time we don't plan to address this in RHEL but we will keep it open for evaluation based on customer feedback.
Carl George followed up on /r/almalinux with this:
> The request is still open and has not been rejected. The CVE hasn't even gotten a severity rating yet. So maybe tap the breaks and see how it plays out. Just like in any other open source project, asking for contributions does not automatically guarantee that every contribution will be merged.
It is entirely possible that this will end up being merged within a week if it is judged a serious security issue, but until then it's just "a CVE that someone filed", which doesn't necessarily mean much.
Disclosure: I work for Red Hat.
[+] [-] ThePowerOfFuet|2 years ago|reply
[+] [-] infamouscow|2 years ago|reply
What's so difficult about merging a patch that fixes a CVE?
You should genuinely be embarrassed at this stupid attempt to justify Red Hat's incoherent policies.
[+] [-] genmud|2 years ago|reply
Support means fuckall when they don't care or their timelines are measured in quarters and years. It's why when someone says "oh, you are paying for support" I just laugh at them. The tens of thousands of dollars we paid per year for RHEL would have been infinitely better utilized for supporting upstream projects and their developers.
[+] [-] pk-protect-ai|2 years ago|reply
[+] [-] wmf|2 years ago|reply