> The problem is that Cent 8/9 Stream has quicker critical CVE patches because it's essentially the source and is closer to mirroring RHEL.
This isn't entirely true, at least for embargoed CVEs (so the most critical vulnerabilities). RHEL will always get embargoed patches first. Once RHEL releases the patched packages, Alma/Rocky can rebuild them too. The patches may not be available in Stream yet at this point. This has happened a few times in the past.
Also, there are no advisories for Stream, so it's not always easy to tell if a Stream package includes a patch for a particular CVE. Sometimes you have to go hunting in the changelog to figure it out, as the version numbers don't always match with RHEL's.
This isn't entirely true, at least for embargoed CVEs (so the most critical vulnerabilities). RHEL will always get embargoed patches first. Once RHEL releases the patched packages, Alma/Rocky can rebuild them too. The patches may not be available in Stream yet at this point. This has happened a few times in the past.
Also, there are no advisories for Stream, so it's not always easy to tell if a Stream package includes a patch for a particular CVE. Sometimes you have to go hunting in the changelog to figure it out, as the version numbers don't always match with RHEL's.