Can someone help me explain the way patches are released by vendors compared to a community supported Linux, i.e Redhat compared to Centos?

For example, when a security flaw is found in a piece of software and someone, somewhere finds and fixes the hole and releases the update do the Redhat & Centos teams simply take this patch and incorporate it into their updater (rhn or yum)?

My employer is asking for vendor supported Linux distro's only, but I want to use Centos. I am trying to get a grasp on the way patches are handled and formulate a validate argument.

Thanks.

distro vendors themselves don't release patches. they would take either take a patch, apply it to the vulnerable release and release it as an entire package, or take the patched software from the software developers themselves and release it. which angle is typically dependent on the position of the original developers, their willingness or ability to respond to the issue.

As far as Redhat and CentOS go, redhat do their patching and updates releases in under a week, often much sooner, this same update will cascade down into CentOS. CentOS do apply a few minor tweaks outside of the redhat releases, but only very rarely if they really think there's a unaddressed issue. Generally they would prefer to pass on redhat's updates as it contiues to ensure compatability with redhat.

If your boss wants to pay for support then get Redhat every time, but if he wants redhat based on some dumb preconception that even within support he's somehow still better off with it, he's a muppet, and CentOS is a much more sensible option as you will still get the same updates you'd normally be paying for, but with a slight delay.