When you think "free version of Red Hat Enterprise Linux," I bet CentOS comes to mind.
But a look at the CentOS project over the past few years shows a considerable lag between when RHEL releases and CentOS catches up.
That lag continues, and it's at 200+ days, according to this recent Phoronix article. My question is more basic: Is CentOS keeping up with critical security patches along the way? I hope they are.
I'll look in on -- and encourage you to all join me in this looking-in-on -- the CentOS Announce mailing list, where security patches and other sundries are announced.
For good or ill, CentOS is a very small, selectively manned (not sure if there is a single woman involved, so I'll stick with "manned") project that has a massive user base -- just about everybody who wants the bits that make up Red Hat Enterprise Linux but don't want to pay for it.
Don't get me wrong. I've installed CentOS more than a few times. I even ran CentOS 2 once on my old VIA C3 Samuel machine. They offer a very valuable service. I appreciate it. I just wish they'd open up their project, get more people and get things done faster.
Considering the demand, you'd think that there would be either dozens of competing projects, or at least one well-funded free-as-in-beer-and-freedom, pure RHEL clone.
Not that I know of.
So what are the alternatives? If you want to remain in the RHEL-clone realm, Scientific Linux is doing a much better job of keeping up with RHEL. Scientific Linux does include extra packages that its science-heavy user base wants but which are not in the upstream RHEL. I don't know about you, but I see nothing wrong with that.
I've built a couple of servers lately -- nothing mission-critical, mind you, but critical to my own work, and I chose the Linux distribution I know best, Debian GNU/Linux. Not only is every stable release of Debian pretty much a "long-term-support" release given the roughly every-two-years rhythm of stable Debian releases, but the Debian Security Team is top-notch. They're always right there with needed patches for critical components of the system.
While Debian doesn't adhere to a set release schedule, there have been new releases in early 2007 (Etch), early 2009 (Lenny) and early 2011 (Squeeze). Chances are that Debian Wheeze will become the next Stable release in early 2013. And all Debian releases get an additional year of support as Old Stable after the next Stable release is issued. That pushes your support window to early 2014.
Or you could build your server or desktop with Ubuntu's long-term-support release, currently 10.04 LTS, supported on the desktop through April 2013 and on the server through April 2015. And there will be another Ubuntu LTS, this time with five years of support on both desktop and server, in April 2012.
So you don't need RHEL or a RHEL clone to have some stability -- and time to breathe, dammit -- in your installations. And you certainly don't have to wait weeks or months for your free operating system to track the upstream project on which it's based.
Note: This post was edited Dec. 13, 2011 to give CentOS the benefit of the doubt regarding security patches to its active distributions. I have no idea whether the project is timely with patches, or less so. All I know is that Debian is extremely timely with same for its Stable release, and those patches tend to roll into Ubuntu as well.
Another note: I didn't mention Fedora. I'm a big fan of Fedora, but not such a fan of the six-month upgrade cycle, especially on the server. Yeah, it might theoretically eat into RHEL subscriptions, but Fedora needs an LTS of its own. Badly. It's a glaring omission in what is otherwise an exemplary project.
CentOS isn't terribly timely with kernel updates: I asked the question of how CentOS is doing with updates to the LXer community, and they are responding in this thread. It appears that CentOS is running about a month behind WITH UPDATED KERNELS. Scientific Linux is about 2 weeks behind. Please, fans of RHEL clones, let me know why this is OK. Is this a conspiracy to get those who can afford it to purchase a RHEL contract?
I ask you: Are there benefits in running a RHEL clone that offset weeks-late kernel updates?
Update on Dec. 29, 2011: According to LWN.net, CentOS and Scientific Linux are right in there with some critical updates to RHEL.