hi,
I've found an issue with "dnf upgrade --security" command.
It goes like this:
lets say you have installed a package "openssl-libs-1:3.2.2-2.el9.x86_64".
Now you would like to upgrade it, so you would do:
sudo yum upgrade openssl-libs-3.2.2-4.el9
It shows the upgrade properly, nice !
I would now like to point out that though we have not provided an "epoch" in the package name above, dnf still gets us the correct package.
All expected behaviour.
Now instead of providing the upgrade package via cmd, I will do that via "updateinfo.xml" file in metadata of some repo.
the updateinfo.xml would look like this:
<updates>
<update from="someone" status="stable" type="security" version="1.4">
<id>someid-1746018269-openssl</id>
<title>CentOS openssl BugFix Update</title>
<release>CentOS 9</release>
<issued date="2022-06-02 17:42:44"/>
<references>
<reference href="https://some.ref.com" type="self"/>
</references>
<description>CentOS openssl BugFix Update</description>
<pkglist>
<collection short="EL-9">
<name>CentOS 9</name>
<package arch="x86_64" name="openssl-libs" release="4.el9" src="" version="3.2.2">
<filename>openssl-libs-3.2.2-4.el9.x86_64.rpm</filename>
</package>
<package arch="x86_64" name="openssl" release="4.el9" src="" version="3.2.2">
<filename>openssl-3.2.2-4.el9.x86_64.rpm</filename>
</package>
</collection>
</pkglist>
</update>
</updates>
and the corresponding repomd.xml would like this:
<repomd xmlns="http://linux.duke.edu/metadata/repo" xmlns:rpm="http://linux.duke.edu/metadata/rpm">
<revision>1746620414
<data type="updateinfo">
<location href="repodata/updateinfo.xml"/>
<timestamp>1746620414
<size>49711
</data>
</repomd>
both the above files are inside repodata dir.
you can see in <package> element in updateinfo.xml that I have not provided "epoch" in there.
so that would correspond to "openssl-libs-3.2.2-4.el9.x86_64" as package name.
now after creating test.repo file,
[CentOS9_errata]
name=CentOS 9 errata generated from Tenable exports
baseurl=file:///path/to/dir/which/contains/repodate
enabled=1
gpgcheck=0
priority=99
I did this:
sudo dnf upgrade --security
now the commands nothings, as it thinks the package I have installed has "epoch" as "1" and the package in the updateinfo.xml has no "epoch" so it considers "epoch" as "0" and marks that there is no requirement to upgrade.
This is some distinct weird behaviour, as if I can do
sudo yum upgrade openssl-libs-3.2.2-4.el9
to upgarde, I should also be able to do the same in updateinfo.xml file. why conflicting behaviour here ?
Please help !
hi,
I've found an issue with "dnf upgrade --security" command.
It goes like this:
lets say you have installed a package "openssl-libs-1:3.2.2-2.el9.x86_64".
Now you would like to upgrade it, so you would do:
sudo yum upgrade openssl-libs-3.2.2-4.el9It shows the upgrade properly, nice !
I would now like to point out that though we have not provided an "epoch" in the package name above, dnf still gets us the correct package.
All expected behaviour.
Now instead of providing the upgrade package via cmd, I will do that via "updateinfo.xml" file in metadata of some repo.
the updateinfo.xml would look like this:
<updates>
<update from="someone" status="stable" type="security" version="1.4">
<id>someid-1746018269-openssl</id>
<title>CentOS openssl BugFix Update</title>
<release>CentOS 9</release>
<issued date="2022-06-02 17:42:44"/>
<references>
<reference href="https://some.ref.com" type="self"/>
</references>
<description>CentOS openssl BugFix Update</description>
<pkglist>
<collection short="EL-9">
<name>CentOS 9</name>
<package arch="x86_64" name="openssl-libs" release="4.el9" src="" version="3.2.2">
<filename>openssl-libs-3.2.2-4.el9.x86_64.rpm</filename>
</package>
<package arch="x86_64" name="openssl" release="4.el9" src="" version="3.2.2">
<filename>openssl-3.2.2-4.el9.x86_64.rpm</filename>
</package>
</collection>
</pkglist>
</update>
</updates>
and the corresponding repomd.xml would like this:
<repomd xmlns="http://linux.duke.edu/metadata/repo" xmlns:rpm="http://linux.duke.edu/metadata/rpm">
<revision>1746620414
<data type="updateinfo">
<location href="repodata/updateinfo.xml"/>
<timestamp>1746620414
<size>49711
</data>
</repomd>
both the above files are inside repodata dir.
you can see in <package> element in updateinfo.xml that I have not provided "epoch" in there.
so that would correspond to "openssl-libs-3.2.2-4.el9.x86_64" as package name.
now after creating test.repo file,
[CentOS9_errata]
name=CentOS 9 errata generated from Tenable exports
baseurl=file:///path/to/dir/which/contains/repodate
enabled=1
gpgcheck=0
priority=99
I did this:
sudo dnf upgrade --securitynow the commands nothings, as it thinks the package I have installed has "epoch" as "1" and the package in the updateinfo.xml has no "epoch" so it considers "epoch" as "0" and marks that there is no requirement to upgrade.
This is some distinct weird behaviour, as if I can do
sudo yum upgrade openssl-libs-3.2.2-4.el9to upgarde, I should also be able to do the same in updateinfo.xml file. why conflicting behaviour here ?
Please help !