Michel Salim wrote:
Today's Firefox update causes problems on machines with the liferea
package from Fedora Extras, which depends on a specific version of
Firefox. This sets me thinking: what if a vital security update is
being pushed, and we don't mind breaking the packages that block the
update for the time being?
Not really familiar with yum's innards, but would it be possible to
write a module that would, in case of high-security updates (probably
marked as such in the repodata, and perhaps incorporating user input,
e.g. --force-update glob and --ignore-force-update glob), remove
conflicting packages, apply the update, and keep track of which
packages were removed so that they can be automatically reinstalled
when no longer in conflict.
There might be a problem if the conflicting package is not available
from any repository, but in general, does the idea seem sound?
Good pro-active idea, I've just never been a fan of trying to prioritize
security patching, it's kind of like deciding which door in your house
should get a lock first. Sure remote root is "worse" than random app X
having a buffer overrun, but both could end up losing you data so at the
end of the day it's the same pool full of marmots.
Since it's hard to tell exactly how a security bug could be used against
you it's best just to patch everything, always, as quickly as possible.
In this specific case I'd be wondering why liferea needs a very specific
version of firefox. I just checked the app in question and it states a
requirement of :
firefox = 1.5.0.7
I would propose that this isn't really normal behavior, to require a
specific patch version unless API changed, which in this case I do not
think happened.
So perhaps this could be brought to the attention of the lifrea
maintainer first.
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
