New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Why are some security errata ignored? #13
Comments
It appears that the generate_updateinfo script is working as expected, as the errata is parsed from the CEFS xml and the metadata file created and injected into the repository shows the relevant errata. I'm not exactly sure what would be causing this without digging into the guts of yum. Perhaps the yum cache still thinks that errata is installed? Have you tried to clean the cache after downgrading the package then checking for errata? |
Yes, I tried to clean the yum cache with |
Does anybody else has any suggestion what could cause described issue? |
I ran into the same problem and just spend a few hours fixing it (at least for me). Each RPM package has three attributes: Epoch, Version and Release (EVR). For most packages (around 70-80%), Epoch is set to "0". For some other packages (I discovered libpng and squid), the Epoch value is set to a numeric value greater than 0. The generate_updateinfo script always sets Epoch to "0" which is why the errata are not matched up for packages where Epoch is not in fact 0, but higher. The problem with this is that unlike Version and Release, the Epoch is not included in the filename. The only option to get it is to parse the sqlite database contained in the CentOS repositories. There is no way to fix this inside generate_updateinfo easily. If you are interested, I have created a ready-made repository which you can find here: |
@stevemeier This is great news! Thank you for creating these repos. |
I successfully use the script to generate security errata metadata and to update
updateinfo.xml
file with it in my local CentOS6 repositories (with CLI args-t all -s all
). All repositories are up-to-date (till the date today, 2017/03/10). Unfortunately, I noticed a small inconsistency in what's going to be updated when you runyum update --security
command.How to reproduce the issue (tested on CentOS 6.8, x86_64, but IMO, previous/newer versions suffer from the same issue):
squid
packagesquid
package should be newly listed but it isn'tsquid-3.1.23-16.el6_8.5.x86_64
(CEBA_2016__1412 bugfix
) butsquid-3.1.23-16.el6_8.6.x86_64
(CESA_2016__1573
) seems to be still marked as installedI would like to point out that I tested this scenario (downgrade/upgrade) on RHEL6 and it worked. I also tried to install old version of
squid
package directly to avoid downgrade/upgrade sequence but the result was also the same. And the issue is not related tosquid
package only. Basically, I can reproduce the issue with any package.Any idea what could be wrong?!? Why is it marked as installed when it is actually not?!? When testing on RHEL6, I can see it is not installed and then, it is included in the list of packages to be updated.
Thanks.
The text was updated successfully, but these errors were encountered: