On Thu, Feb 23, 2023 at 10:15:42AM -0800, Gordon Messmer wrote:
On 2023-02-23 10:05, Gordon Messmer wrote:
> Contrary-wise: Because Fedora updates only contains the latest built,
> once a build marked as a security fix is obsoleted by another build,
> there is no longer any indication that a security issue existed in any
> version, at which point "dnf update --security" no longer works.
For example,
https://bodhi.fedoraproject.org/updates/FEDORA-2022-839fd408a5
is no longer an indication of a problem in a default package:
$ podman run --rm -it fedora:37
[root@d1c2aa7da870 /]# rpm -qa vim\*
vim-data-9.0.475-1.fc37.noarch
vim-minimal-9.0.475-1.fc37.x86_64
[root@d1c2aa7da870 /]# dnf update --security vim\*
No security updates needed for "vim*", but 2 updates available
Dependencies resolved.
Nothing to do.
Complete!
> That might be a problem only for systems that are updated less
> frequently than the window between a security update and a later build,
> I still think it's a flaw that should be fixed.
(And I probably shouldn't have phrased this as if it's very limited.
Anything installed from the installation media or "fedora" repo without full
updates would definitely have security issues that weren't reflected in the
package set selected by "dnf update --security")
For this reason, bodhi used to mark such packages for the rest of the
release. Ie, if you mark foo-1.0-1.fc37 a security update, forever after
that foo package gets 'security' in the updateinfo. I think this was
dropped because it confused too many people and it also didn't really
express the actual problem here.
I'm not sure what a solution could be. Keep every update in updateinfo
so dnf could tell you that there's 2 updates and 1 is security and the
other bugfix? but then we would need to also keep those updates around
to update to.
kevin