CIQ and RESF Team Up to Improve Rocky Linux Errata

We're pleased to share some updates about recent improvements to Apollo, the tooling that powers Rocky Linux security advisories. This work is an excellent example of CIQ and the Rocky Enterprise Software Foundation (RESF) collaborating to improve the Rocky Linux community.

Shipping Errata with Apollo

The Apollo system, which handles the creation of Rocky Linux security advisories from upstream sources, had been working well. However, like any mature software project, there's always room for improvement. We identified opportunities to improve it—particularly in accuracy and publication speed. Some advisory publications were taking longer than ideal to process, and at times lacking in completeness. These are the kinds of refinements that come naturally as a project matures and usage scales up.

Refactoring Apollo

CIQ engineers, working closely with the RESF, undertook a significant refactor of Apollo to modernize its approach and improve reliability. The updated system now gets security errata published much more quickly after Rocky Linux packages are available, with typical timelines reduced from days to hours.

Apollo now uses CSAFv2 (Common Security Advisory Framework) files, which are a more modern and reliable approach than the previous data source. CSAFv2 provides information in a more structured format, making it easier to ingest and process, helping keep advisories up to date as upstream conditions change.

We've implemented additional automated workflows that run regularly to match and publish advisories without requiring manual intervention. The system now checks for new advisories on a schedule and processes them automatically, making the whole pipeline more consistent across Rocky Linux versions 8, 9, and 10.

The new matching logic is also more competent at handling the various ways packages can be versioned, helping ensure comprehensive coverage across all Rocky Linux releases and minimizing manual steps.

Improved tooling also provides the RESF Release Engineering team with an improved user interface for manual intervention, when required, along with improved visibility into system status and more manageable ways to handle edge cases as they arise.

For folks running Rocky Linux in production, these improvements translate to a smoother experience. Security updates flow more predictably, automated patching tools work more reliably, and security scanners get the information they need. It's the kind of infrastructure work that might not be flashy, but makes day-to-day operations better and more secure.

Open Source Collaboration Done Right

This project is a great example of how open source collaboration works well. Working together to identify areas for improvement, CIQ and the Rocky Linux community reviewed, tested, and deployed significant changes to Apollo to improve the user experience and close gaps with security advisories.

The phased rollout approach allowed us to make significant improvements without disrupting existing workflows, and improved documentation ensures the community can understand and contribute more effectively to the codebase going forward.

With these improvements deployed, Rocky Linux has a modernized infrastructure for handling security advisories. The automated pipeline ensures consistent, timely delivery of security information, and the improved tooling makes it easier for the project to maintain and enhance the system over time.

Steady improvements are what keep open source projects healthy and reliable. We're grateful to work with the RESF on making Rocky Linux better for everyone who depends on it.

Thanks

Kudos to Sam Thornton at CIQ for driving the technical implementation, Mustafa Gezen of the Rocky Linux Release Engineering team for his partnership in testing and deployment, and the broader RESF community for their collaboration throughout the project.

Learn More

Interested in the technical details? Check out the Apollo project at https://github.com/resf/distro-tools, and you can see the results at errata.rockylinux.org.