Laurențiu Păncescu
Linux distros slow to provide Chromium updates
CentOS Linux 7.4.1708, based on the sources of Red Hat Enterprise Linux 7.4, has been released last Wednesday. Red Hat rebased more software than it used to, especially desktop software, so it took longer for the corresponding CentOS release to be finished. Many thanks to the CentOS Core Team for their extensive work!
If you plan to use CentOS Linux on public servers (for production purposes), you should be aware that there are no security updates between a RHEL point release and the corresponding CentOS Linux point release - usually a few weeks. You can get the updates a bit earlier if you enable the CR repository, but even in this case, since determining the proper build order and required dependencies takes a while, you’ll still have 2-3 weeks without any security updates whatsoever. If that’s unacceptable, please consider paying for RHEL or using a different enterprise distro on your servers, like Debian or Ubuntu LTS.
Outside point releases, all enterprise Linux distros are usually very quick to provide security updates, and normally coordinate the release of fixed packages with security researchers. Unfortunately, it doesn’t seem the case for all packages: today I noticed that Chromium, the open-source browser that Google Chrome is based on, is still at version 60 in Debian and Fedora, although version 61, which fixes a number of security issues, was released almost two weeks ago.
Let’s take a look at the release date of the upstream sources for Chromium and the coresponding binary packages in Debian and Fedora repositories:
| Version | Upstream | Fedora | Debian |
|---|---|---|---|
| 60.0.3112 | 2017-07-25 | 2017-08-09 | 2017-08-02 |
| 59.0.3071 | 2017-06-05 | 2017-06-13 | 2017-06-18 |
| 58.0.3029 | 2017-04-19 | 2017-05-16 | 2017-05-08 |
| 57.0.2987 | 2017-03-09 | 2017-03-30 | 2017-03-16 |
| 56.0.2924 | 2017-01-25 | 2017-02-24 | 2017-01-31 |
| 55.0.2883 | 2016-12-01 | 2016-12-13 | 2016-12-11 |
| 54.0.2840 | 2016-10-12 | 2016-11-04 | 2016-11-26 |
| 53.0.2785 | 2016-08-31 | 2016-09-09 | 2016-09-05 |
| 52.0.2743 | 2016-07-20 | 2016-08-08 | 2016-07-31 |
Chromium isn’t part of the official CentOS repositories, but Fedora makes it available in EPEL, so the updated packages are released either together with the Fedora packages, or with several days of additional delays. In any case, there seem to be 18±8 days of delay for the updates to arrive in Fedora or CentOS Linux, or 13±12 days for Debian.
For Firefox ESR, the security updates are usually available within 1-2 days after the upstream fixes (the 45.5.x packages were delayed on CentOS due to the 7.3.1711 point release, it’s not a mistake in the data):
| Version | Upstream | CentOS | Debian |
|---|---|---|---|
| 45.5.0 | 2016-11-15 | 2016-12-15 | 2016-11-16 |
| 45.5.1 | 2016-11-30 | 2016-12-15 | 2016-12-01 |
| 45.6.0 | 2016-12-13 | 2016-12-16 | 2016-12-14 |
| 45.7.0 | 2017-01-24 | 2017-01-26 | 2017-01-25 |
| 52.0.0 | 2017-03-07 | 2017-03-08 | 2017-03-09 |
| 52.1.0 | 2017-04-19 | 2017-04-20 | 2017-05-05 |
| 52.2.0 | 2017-06-13 | 2017-06-15 | 2017-06-14 |
If browser security matters, run Firefox or Google Chrome, not Chromium – preferably on Debian or RHEL.