Hi Jake! On Sun, 16 Jun 2013 10:39:34 -0600 Jake Edge wrote: > > This is due to this being 1 single update with all the kde > > packages. > > > > See: > > > > https://admin.fedoraproject.org/updates/FEDORA-2013-10182/ > > > > So, all those packages are all "FEDORA-2013-10182" > > > > and since you can only mark the single update security or not, the > > entire thing (and all packages) are marked security. > > What I don't quite follow is whether all of those packages are in fact > updated for security reasons or whether this is just an artifact of > bodhi (or koji or something) ... I am sensing the latter ... You can consider this an artifact of Bodhi (update system), or more of how it is used. Bodhi allows creating update requests with multiple packages. Those are expected to be used when updating set of closely related packages that should either be all updated (updated as pushed to testing or stable repository) at once or not at all. E.g. various KDE sub packages may have strict versioned dependencies on a base KDE library package, or NSS update usually requires that all nss, nss-util and nss-softoken are updated in sync. Basically to avoid having some packages pushed to stable (because one package gets positive karma from a user who tested it with all packages from the set installed) while other are still in testing, leading to various problems. There was a similar thread here started by you few years ago. It seems comments there remain relevant and may be a good reference. https://lists.fedoraproject.org/pipermail/security/2008-February/001284.html I presume change this was of a lower priority than other Bodhi changes that happened since then. > > I don't know if this will be handled any better in bodhi 2.0, but we > > could surely look and try and handle things better. What would you > > like to see for an update like this? Different names for each > > package? Or some what to tag only those package(s) that are security > > updates? > > Well, I would think Fedora users would only want things that are > actually security updates to marked as such ... or are all these > packages dependent on the Plasma add-ons somehow? In this case, there's a security fix in kdeplasma-addons. Other packages are part of the same update request as it primarily is a "update to KDE 4.10.4" update. Without the security fix, this would contain the same set of packages, only update request would be of type bug fix or enhancement, rather than security. This can be improved, either in tool (e.g. via ability to flag only specific components in an update request as security), or process (require 1 component per update request, or ask maintainers to split such requests to at least two, one with security and other with the rest, or via better update description, which would not help your automated processing I believe). All of those changes requires some additional effort, and I do not know if there is sufficient motivation to go that way. -- Tomas Hoger / Red Hat Security Response Team -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
