'Re: Proposal: drop delta rpms (for real this time)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-devel-list
Subject:    Re: Proposal: drop delta rpms (for real this time)
From:       Petr Pisar <ppisar () redhat ! com>
Date:       2023-02-27 8:48:35
Message-ID: Y/xuY0gn4NAyOgl2 () dhcp-0-146 ! brq ! redhat ! com
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


V  Fri, Feb 24, 2023 at 12:08:28PM -0400,  Robert Marcano via devel napsal(a):
> On 2/24/23 12:01 PM, Chris Adams wrote:
> > Once upon a time, Robert Marcano via devel <devel@lists.fedoraproject.org> said:
> > > Does DNF on RHEL for example do something different when --security
> > > is involved? Because the RHEL documentation talks about it as a
> > > feature to use. Is a lack of metadata for previous updates the
> > > problem or the implementation?
> > 
> > Just a guess, but... updates in RHEL are different from updates in
> > Fedora because of policy.  In RHEL, updates outside of a point release
> > are much more targeted - mostly security and significant bug fixes.
> > Since there are fewer updates, the security updates stick around for a
> > while and stand out more.
> > 
> > In Fedora, essentially anything can be updated at any time for any
> > reason, whenever the packager(s) want.  It could be a minor bugfix, a
> > new upstream release, etc.  So the update "churn" tends to be higher.
> > There could be a security update today to a package (maybe just by
> > applying a quick patch), and then maybe upstream incorporates the patch
> > next week (along with other changes) and the Fedora packager updates to
> > that release.  From the Fedora point of view, the second new package is
> > not addressing any security issue, because the first new package did.
> > 
> > Neither are wrong, they're just different polices.
> 
> Right, but does a security update replaced by a non security update will
> hide the first security update on RHEL like happens on Fedora?
> 
> Because if the problem is how DNF process --security and not how Fedora and
> RHEL push security updates metadata, The Red Hat documenting how to use
> dnf-automatic to only install security updates is probably not at all
> secure. Just wondering where is the problem, metadata or implementation.

I think that DNF works same both in Fedora dnf in RHEL. The main difference is
that RHEL repositories contain all historical updates. Therefore DNF can see
security updateinfo data even for packages whose latest update is
a non-security.

-- Petr

["signature.asc" (application/pgp-signature)]
[Attachment #6 (text/plain)]

_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic