On Thu, Feb 23, 2023 at 10:15:42AM -0800, Gordon Messmer wrote: > On 2023-02-23 10:05, Gordon Messmer wrote: > > Contrary-wise: Because Fedora updates only contains the latest built, > > once a build marked as a security fix is obsoleted by another build, > > there is no longer any indication that a security issue existed in any > > version, at which point "dnf update --security" no longer works. > > > For example, https://bodhi.fedoraproject.org/updates/FEDORA-2022-839fd408a5 > is no longer an indication of a problem in a default package: > > $ podman run --rm -it fedora:37 > [root@d1c2aa7da870 /]# rpm -qa vim\* > vim-data-9.0.475-1.fc37.noarch > vim-minimal-9.0.475-1.fc37.x86_64 > [root@d1c2aa7da870 /]# dnf update --security vim\* > No security updates needed for "vim*", but 2 updates available > Dependencies resolved. > Nothing to do. > Complete! > > > That might be a problem only for systems that are updated less > > frequently than the window between a security update and a later build, > > I still think it's a flaw that should be fixed. > > (And I probably shouldn't have phrased this as if it's very limited. > Anything installed from the installation media or "fedora" repo without full > updates would definitely have security issues that weren't reflected in the > package set selected by "dnf update --security")
For this reason, bodhi used to mark such packages for the rest of the release. Ie, if you mark foo-1.0-1.fc37 a security update, forever after that foo package gets 'security' in the updateinfo. I think this was dropped because it confused too many people and it also didn't really express the actual problem here. I'm not sure what a solution could be. Keep every update in updateinfo so dnf could tell you that there's 2 updates and 1 is security and the other bugfix? but then we would need to also keep those updates around to update to. kevin
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
