I recently helped another user repair their Fedora workation, after an
update broke gnome-shell. In their case, I believe that the problem
occurred because they had the nodejs:14 module enabled, which contained
an outdated libnghttp2 [1], but in principle, the problem can affect any
system that selectively applies updates, or any system on which packages
are installed without also applying updates [2].
I expected that if I checked, I could find some mention in the Fedora
documentation to the effect that the only supportable configuration for
a major-version stable distribution is fully patched. The only thing I
could actually find, though, was an article about applying only security
or bugfix updates [3], which is basically the opposite.
(As an aside, I *also* think that "dnf update --security" is broken on
Fedora because not only can it result in broken dependencies, but it can
be misleading. In the case that a security update is published and
subsequently obsoleted by another update, systems with an affected,
older package would not be informed that a security update was required.
The second, subsequent update does include security fixes for older
versions, but that information is lost. Maybe Fedora should retain any
package which was marked as a security fix?)
So, first, I will open a PR with some changes to Fedora's DNF
documentation [4] encouraging users to apply all updates before
installing packages. I may follow up on the Fedora Magazine article, as
well. It doesn't feel right to propose an article on Fedora Magazine
advising users not to use "dnf update --security", but it also doesn't
feel right to publish articles describing that feature without also
describing any caveats.
Second, I'd like to suggest that in the future, at least in Fedora, for
any "install" or "update" operation that dnf performs, dnf's default
behavior should be checking all of the direct and indirect dependencies
of the packages being installed (or updated) and updating any
dependencies which have updates available.
Does anyone else have any opinions on the subject? Should I simply file
a bug against dnf proposing this behavior?
1: https://bugzilla.redhat.com/show_bug.cgi?id=2164944
2: For example:
$ podman run --rm -it fedora:37
[root@30a0f8c3f6a8 /]# rpm -q libnghttp2
libnghttp2-1.49.0-1.fc37.x86_64
[root@30a0f8c3f6a8 /]# dnf install chezdav
...
[root@30a0f8c3f6a8 /]# chezdav
chezdav: symbol lookup error: /lib64/libsoup-3.0.so.0: undefined symbol:
nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation
[root@30a0f8c3f6a8 /]# rpm -q libsoup3 libnghttp2
libsoup3-3.2.2-2.fc37.x86_64
libnghttp2-1.49.0-1.fc37.x86_64
3:
https://fedoramagazine.org/how-to-install-only-security-and-bugfixes-updates-with-dnf/
4:
https://docs.fedoraproject.org/en-US/fedora/latest/system-administrators-guide/package-management/DNF/
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
