Proposal - "Slow updates" repo

James Antill james at fedoraproject.org
Wed Nov 19 15:08:09 UTC 2008 

On Wed, 2008-11-19 at 10:08 +0100, Kevin Kofler wrote:
> Seth Vidal wrote:
> > you mean like the already existing yum security plugin and the update info
> > that bodhi generates?
> 
> Except it just doesn't work... 2 big problems there:
> 1. Security updates can be obsoleted by non-security updates. So if you
> didn't install the security update in time, you'll never get it.
> 2. Sometimes security updates cause regressions. Usually these are fixed
> very quickly... in a regular bugfix update. With the result that users of
> yum-security will be stuck with the regression (or if they didn't update in
> time, with situation 1., i.e. without the security update).
> 
> To solve 2., fixes for regressions from security updates would have to be
> marked security as well, or (probably better) use a new category ("bugfix
> for security update") which is also pulled in by yum-security.

 This seems very dodgy to me, yes in Fedora you are likely to get a
security errata with extra changes ... and sometimes those extra changes
contain bugs. That doesn't mean the bugs are magically different from
normal bugs.
 We already have bugfix and enhancement ... and we already have "yum
update --bz 1234", for specific problems. I don't think we need/want to
mangle what a security fix is for this.

> To solve 1., the metadata would have to carry the information for the
> security update even after it is obsoleted, and 

 Yes, at the minimum the updateinfo.xml would have to never remove
security data ... at best each package could also contain the latest
security update.

> yum-security would have to
> understand that if foo-1.2.3 is a security update, the currently installed
> package is foo-1.2.2 and the current version in the repo is the bugfix
> update foo-1.2.4, it should install foo-1.2.4. Or alternatively, the latest
> security (or "bugfix for security", see above) update would have to be
> carried in the repos in addition to the latest overall.

 yum-security already does this, and adds a "yum update-minimal" command
so that if you have X-1 installed, X-2 as a security update and X-3 as
an enhancement update "yum update-minimal --security" will move you from
X-1 to X-2.

> In its current state, yum-security is very unreliable and outright
> dangerous.

 You are free to hold this opinion, however I've had machines running
"yum --security update" in cron for a long time ... and it has worked
perfectly.

-- 
James Antill <james at fedoraproject.org>
Fedora

More information about the fedora-devel-list mailing list