On Wed, Nov 08, 2006 at 01:05:46PM -0900, Jeff Spaleta wrote: > On 11/8/06, Michel Salim <michel.salim@xxxxxxxxx> wrote: > >There might be a problem if the conflicting package is not available > >from any repository, but in general, does the idea seem sound? > > Technically... this is possible... the 'security' label is available > in the updateinfo.xml.gz now being generated for updates to fc6. > > Whether or not such a plugin is rational or even sane, will be a > matter of opinion based on individual administrator situations. This > would never be appropriate as something to install by default, and > should only be used by people who know wtf they are doing. > > You would most certaintly want the plugin be advenced enough so admins > could identify a list of 'important' packages which should not be > allowed to break in the effort to force a security update. Its one > think to break liferea it's another to break the deps to httpd, if the > machine is primarily a webserver. I'm in the process of finishing up some api changes to the update metdata module for yum (yum.update_md), and I have a couple of yum plugins/tools I'm going to be getting out the door shortly (once/if I make it through finals next week). The first is a 'securityonly' yum plugin, which will only install updates flagged as security. At the moment the updateinfo.xml.gz metadata, which contains this information, is only being generated for core updates, thus making this plugin only partially useful. I'm currently working on coding up a new and improved updates system[0] for Fedora (encompassing core/extras/legacy) that will give us this metadata for all updates. As for having it purposely break things for 'important' updates, I'm not sure that's the best approach to solving the problem. At the least, I'd like to making sure the user/admin is *well aware* that they have security updates that are unable to be installed (and offer a potential solution). But in a Perfect World (with unified build/update systems, QA, etc), dependency issues like the liferea one Michel mentioned wouldn't happen. The second tool I'm working on is a standalone script to query package update notices via the commandline (by CVE/bug/package/etc). More on that in the near future. luke [0]: http://fedoraproject.org/wiki/Infrastructure/UpdatesSystem -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list