'Re: Proposal: drop delta rpms (for real this time)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-devel-list
Subject:    Re: Proposal: drop delta rpms (for real this time)
From:       Robert Marcano via devel <devel () lists ! fedoraproject ! org>
Date:       2023-02-24 16:46:36
Message-ID: ed2e6740-7771-99e5-7d39-1eb39272b5bd () marcanoonline ! com
[Download RAW message or body]

On 2/24/23 12:35 PM, Gordon Messmer wrote:
> On 2023-02-24 07:42, Robert Marcano via devel wrote:
>> Does DNF on RHEL for example do something different when --security is 
>> involved? Because the RHEL documentation talks about it as a feature 
>> to use. Is a lack of metadata for previous updates the problem or the 
>> implementation? 
> 
> 
> I don't have the log, but I checked this about a month ago:
> 
> I can set up an 8.3 system (I used a UBI container, to be specific) and 
> subscribe to Red Hat's repositories. Since 8.3, there has been a 
> security update to bash, but the most recent bash package is not a 
> security fix. If I run |dnf update --security bash|, the system will 
> offer the most recent bash package, even though it is not a security 
> fix. Naturally, if I run |dnf update bash|, I get the same offer.
> 
> So on RHEL, dnf will evidently offer to update a package to the current 
> version if any of the available update candidates are marked as a 
> security update.  And there are multiple update candidates in RHEL 
> repositories, as well as CentOS Stream repositories, unlike Fedora.

Thanks for testing it. So, if there is a desire to "fix" this in Fedora, 
having the repository includes the latest package marked as a security 
update and the latest one. I am not sure that will solve much because it 
still depends, as other posts said, Fedora has more open rules for 
updates, than enterprise distributions and therea are entire version 
jumps without tracking errata metadata.
> 
> So, from my point of view the biggest problem with "dnf update 
> --security" on Fedora is that rpm doesn't track minor-version 
> dependencies of libraries without versioned symbols, which means that 
> "dnf update --security" can easily break the system by updating a leaf 
> package but not updating dependencies that have added new interfaces 
> that it requires.  (But I'm working on fixing that.)
> _______________________________________________
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-leave@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic