On 2023-02-23 10:05, Gordon Messmer wrote:
Contrary-wise: Because Fedora updates only contains the latest built,
once a build marked as a security fix is obsoleted by another build,
there is no longer any indication that a security issue existed in any
version, at which point "dnf update --security" no longer works.
For example,
https://bodhi.fedoraproject.org/updates/FEDORA-2022-839fd408a5 is no
longer an indication of a problem in a default package:
$ podman run --rm -it fedora:37
[root@d1c2aa7da870 /]# rpm -qa vim\*
vim-data-9.0.475-1.fc37.noarch
vim-minimal-9.0.475-1.fc37.x86_64
[root@d1c2aa7da870 /]# dnf update --security vim\*
No security updates needed for "vim*", but 2 updates available
Dependencies resolved.
Nothing to do.
Complete!
That might be a problem only for systems that are updated less
frequently than the window between a security update and a later
build, I still think it's a flaw that should be fixed.
(And I probably shouldn't have phrased this as if it's very limited.
Anything installed from the installation media or "fedora" repo without
full updates would definitely have security issues that weren't
reflected in the package set selected by "dnf update --security")