Comparing Fedora & CentOS Security Fix Lag

How does Fedora’s security patch lag compare to CentOS? The CentOS website states that security patches from RHEL take 24-72 hours to land in CentOS. But CentOS is a downstream, non-profit clone of RHEL.

Fedora is technically upstream from RHEL, but RHEL isn’t exactly downstream from Fedora:

  • Red Hat removes and modifies a lot of software from the Fedora release before it becomes a RHEL release.
  • RHEL freezes the kernel and most software versions, backporting fixes for 10 years. Whereas Fedora releases are EoL after 13 months.
  • RHEL obfuscates patches to frustrate clones like Oracle and SUSE.

Does Fedora wait for opaque security errata from RHEL releases like CentOS, or is there a more cooperative relationship?

1 Like

Hi @indolering! Welcome to Fedora!

I asked on the -devel mailing list and received some replies:

https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/XBZ63KP5TRUIO2T6XAWBP6BY4AMS5LCR/#ODPFVZHO5LR46VIZOCUZ2LSNRJGOQISD

Perhaps follow up there with any specific questions you have? (This is more an end-user focused forum, so not all devs will hang out here)

I wouldn’t call SUSE a clone, apart from sharing RPM as a packaging format their distributions have been separate (openSUSE and SLES) with a history dating back from the 1990s.

2 Likes