On 2023-02-24 07:42, Robert Marcano via devel wrote:
Does DNF on RHEL for example do something different when --security is
involved? Because the RHEL documentation talks about it as a feature
to use. Is a lack of metadata for previous updates the problem or the
implementation?
I don't have the log, but I checked this about a month ago:
I can set up an 8.3 system (I used a UBI container, to be specific) and
subscribe to Red Hat's repositories. Since 8.3, there has been a
security update to bash, but the most recent bash package is not a
security fix. If I run |dnf update --security bash|, the system will
offer the most recent bash package, even though it is not a security
fix. Naturally, if I run |dnf update bash|, I get the same offer.
So on RHEL, dnf will evidently offer to update a package to the current
version if any of the available update candidates are marked as a
security update. And there are multiple update candidates in RHEL
repositories, as well as CentOS Stream repositories, unlike Fedora.
So, from my point of view the biggest problem with "dnf update
--security" on Fedora is that rpm doesn't track minor-version
dependencies of libraries without versioned symbols, which means that
"dnf update --security" can easily break the system by updating a leaf
package but not updating dependencies that have added new interfaces
that it requires. (But I'm working on fixing that.)
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
