Michel Salim wrote:
Today's Firefox update causes problems on machines with the liferea package from Fedora Extras, which depends on a specific version of Firefox. This sets me thinking: what if a vital security update is being pushed, and we don't mind breaking the packages that block the update for the time being?
Not really familiar with yum's innards, but would it be possible to write a module that would, in case of high-security updates (probably marked as such in the repodata, and perhaps incorporating user input, e.g. --force-update glob and --ignore-force-update glob), remove conflicting packages, apply the update, and keep track of which packages were removed so that they can be automatically reinstalled when no longer in conflict.
There might be a problem if the conflicting package is not available from any repository, but in general, does the idea seem sound?
Good pro-active idea, I've just never been a fan of trying to prioritize security patching, it's kind of like deciding which door in your house should get a lock first. Sure remote root is "worse" than random app X having a buffer overrun, but both could end up losing you data so at the end of the day it's the same pool full of marmots.
Since it's hard to tell exactly how a security bug could be used against you it's best just to patch everything, always, as quickly as possible.
In this specific case I'd be wondering why liferea needs a very specific version of firefox. I just checked the app in question and it states a requirement of : firefox = 1.5.0.7
I would propose that this isn't really normal behavior, to require a specific patch version unless API changed, which in this case I do not think happened.
So perhaps this could be brought to the attention of the lifrea maintainer first.