Skip to main content

Rocky Linux Introduces a Security Repository and Why That Matters

I wrote this for Rocky Linux to explain a real change to how we can respond in an emergency. CopyFail and Dirty Frag both landed with public proof-of-concept exploits before upstream had fixes broadly available, and that left administrators aware of the risk and simply waiting. So we built an optional, opt-in security repository to give us a path to ship urgent fixes ahead of upstream when circumstances genuinely demand it.

Originally published on Rocky Linux Read the full article →

A few things I wanted people to walk away with:

  • It is disabled by default, and that is intentional. The standard Rocky experience stays predictable, stable, and fully upstream-compatible; you opt in only when you need accelerated fixes with sudo dnf --enablerepo=security update.
  • These packages are a bridge, not a fork. They are versioned to be superseded automatically when upstream ships its fix, so you land back on upstream-aligned packages as fast as possible, which also means no traditional errata records.
  • It is a narrow exception, not a change in direction. The bar is high: a significant vulnerability is public, exploit code exists, and upstream has no fix yet. We are not maintaining independent kernel forks indefinitely.

If your environment does not need accelerated fixes, do nothing and your system behavior does not change.