Once upon a time, Robert Marcano via devel <devel(a)lists.fedoraproject.org> said:
Does DNF on RHEL for example do something different when --security
is involved? Because the RHEL documentation talks about it as a
feature to use. Is a lack of metadata for previous updates the
problem or the implementation?
Just a guess, but... updates in RHEL are different from updates in
Fedora because of policy. In RHEL, updates outside of a point release
are much more targeted - mostly security and significant bug fixes.
Since there are fewer updates, the security updates stick around for a
while and stand out more.
In Fedora, essentially anything can be updated at any time for any
reason, whenever the packager(s) want. It could be a minor bugfix, a
new upstream release, etc. So the update "churn" tends to be higher.
There could be a security update today to a package (maybe just by
applying a quick patch), and then maybe upstream incorporates the patch
next week (along with other changes) and the Fedora packager updates to
that release. From the Fedora point of view, the second new package is
not addressing any security issue, because the first new package did.
Neither are wrong, they're just different polices.
Chris Adams <linux(a)cmadams.net>