On 2023-02-23 10:05, Gordon Messmer wrote:
Contrary-wise: Because Fedora updates only contains the latest built, once a build marked as a security fix is obsoleted by another build, there is no longer any indication that a security issue existed in any version, at which point "dnf update --security" no longer works.
For example, https://bodhi.fedoraproject.org/updates/FEDORA-2022-839fd408a5 is no longer an indication of a problem in a default package:
$ podman run --rm -it fedora:37 [root@d1c2aa7da870 /]# rpm -qa vim\* vim-data-9.0.475-1.fc37.noarch vim-minimal-9.0.475-1.fc37.x86_64 [root@d1c2aa7da870 /]# dnf update --security vim\* No security updates needed for "vim*", but 2 updates available Dependencies resolved. Nothing to do. Complete!
That might be a problem only for systems that are updated less frequently than the window between a security update and a later build, I still think it's a flaw that should be fixed.
(And I probably shouldn't have phrased this as if it's very limited. Anything installed from the installation media or "fedora" repo without full updates would definitely have security issues that weren't reflected in the package set selected by "dnf update --security")
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
