On 04.08.21 14:00, Josh Boyer wrote:
On Wed, Aug 4, 2021 at 6:14 AM Leon Fauster via CentOS-devel centos-devel@centos.org wrote:
<snip>
Here my context: I am comparing two nodes based on CS8 (Centos 8 Stream ). One have
freetype-2.9.1-5.el8.x86_64 and the other have freetype-2.9.1-4.el8_3.1.x86_64
At one point in time during RHEL 8.4 development, freetype-2.9.1-5.el8 was set to be shipped. However, it only fixed a CVE and that CVE was already fixed by the freetype-2.9.1-4.el8_3.1 that as shipped as part of a batch update. There was no reason to ship a build that didn't do anything, so it was dropped on the RHEL side.
My educated guess is that Stream 8 picked up the -5.el8 build during the course of RHEL 8.4 development as expected, and then when it was dropped on the RHEL side it used the -4.el8_3.1 update because that is indeed the latest available even today.
This is one of the unintended consequences of how Stream 8 is produced.
Thanks for the explanation. I did not though that such activity would come so much to the front and produce a installable artifact. But it looks like that such dropped rpms do not have a serious impact (at least this one).
The mirror http://mirror.centos.org/centos/8-stream/BaseOS/x86_64/os/Packages/ shows freetype-2.9.1-4.el8_3.1.x86_64 has the latest.
I wonder where this version 2.9.1-5 is coming from? The node was regularly installed with C8 and then swapped to CS8 ...
<snip>
I see it here
https://koji.mbox.centos.org/koji/packageinfo?packageID=408
but not on the mirrors ...
A retired package?
Not retired, just a build that will never be shipped at this point.
I will incorporate this insight into our plausibility checks ... Thanks.
-- Leon