"My remaining concern about CentOS is that thay have
been slow with some security patches lately and that has nothing to
do with the developers' issues which made the press. Red Hat
delivered Firefox 3.0.12, a security patch which closed five
vulnerabilities classified as "critical", the same day Mozilla did.
Scientific Linux (another RHEL clone) had it available within 24
hours. It took CentOS more than a week. That isn't good for
something with known, significant vulnerabilities. Before someone
points out that a browser isn't critical or perhaps even
appropriate for most servers I'll remind my readers that the
upstream "prominent North American Enterprise Linux vendor" sells
its product for both servers and corporate workstations/desktops.
It is fair to assume that CentOS is used the same way. This also
was not an isolated case of one late patch. Some patches have been
very quick to arrive and others have not been. CentOS has been
erratic with its patching for quite some time."