Hello!<br />
<br />
CentOS really lacks a feature that allows the user to separate security-related updates from all other ones.<br />
<br />
As yum-security is not working with CentOS (I suppose because the upstream provider restricts usage of the contents required for yum-security to work), we need an alternative.<br />
Inspecting the changelogs of every update for CVE and Bugzilla IDs and then inspecting the Bugzilla tickets for CVE and RHSA is a situation as dissatisfying as error-prone.<br />
<br />
So I suggest to provide a new repository "updates-security".<br />
To maintain full compatibility with yum configurations for the current repository layout, this repository should contain only packages that are included in the "updates" repository, too, but the packages in "updates-security" should use a priority mechanism such as the ones provided by yum-plugin-priorities or yum-plugin-protectbase, so running yum update shall show security-related updates originating from the repository "updates-security" only.<br />
Also the updates-security repository configuration could be provided by a package centos-release-security, so the changes to the repositories only affect people explicitely installing this optional package. A yum plugin providing the chosen priority mechanism shall be required by this package centos-release-security.
↧