On 11/22/2014 05:49 AM, Gabriele Pohl wrote:
Hi all,
I have difficulties to understand the output of yum-plugin-security.
I am on a X86_64 machine and when I query for security updates, yum lists i686 packages, that I don't have installed.
# yum check-update --security Loaded plugins: changelog, fastestmirror, security Loading mirror speeds from cached hostfile
- base: centos.mirror.linuxwerk.com
- epel: mirrors.n-ix.net
- extras: centos.mirror.sharkservers.co.uk
- updates: centos.mirror.sharkservers.co.uk
Limiting package lists to security relevant ones No packages needed for security; 34 packages available
cyrus-sasl-devel.i686 2.1.23-15.el6_6.1 updates cyrus-sasl-lib.i686 2.1.23-15.el6_6.1 updates device-mapper-multipath-libs.i686 0.4.9-80.el6_6.1 updates libXfont.i686 1.4.5-4.el6_6 updates nss-softokn.i686 3.14.3-18.el6_6 updates nss-softokn-freebl.i686 3.14.3-18.el6_6 updates perl-libs.i686 4:5.10.1-136.el6_6.1 updates
I would have expected, that it will list no packages, as it's statement is "No packages needed for security"
When I run the query with no filtering on security relevant packages, it shows the X86_64 versions of the above listed packages.
Do we have a problem of inconsistent data in the repo? Are only the i686 packages marked with "security-update" flag?
# yum check-update Loaded plugins: changelog, fastestmirror, security Loading mirror speeds from cached hostfile
- base: centos.mirror.linuxwerk.com
- epel: mirrors.n-ix.net
- extras: centos.mirror.sharkservers.co.uk
- updates: centos.mirror.sharkservers.co.uk
cyrus-sasl.x86_64 2.1.23-15.el6_6.1 updates cyrus-sasl-devel.x86_64 2.1.23-15.el6_6.1 updates cyrus-sasl-lib.x86_64 2.1.23-15.el6_6.1 updates .. device-mapper-multipath-libs.x86_64 0.4.9-80.el6_6.1 updates .. libXfont.x86_64 1.4.5-4.el6_6 updates .. nss-softokn.x86_64 3.14.3-18.el6_6 updates nss-softokn-freebl.x86_64 3.14.3-18.el6_6 updates .. perl-libs.x86_64 4:5.10.1-136.el6_6.1 updates
CentOS only tests that things work when doing all updates ... it does not test any other grouping of packages.
In reality that is also true for upstream support as well ... see the first line in any upstream update in the solutions section. Here is an example:
https://rhn.redhat.com/errata/RHSA-2014-1870.html
First line in Solution Section:
"Before applying this update, make sure all previously released errata relevant to your system have been applied."
That does not say pick and choose errata or only install security errata. In reality, one should only NOT install an update if that update causes problems. That is any Errata update, not just security updates.
The reason, all updates are built on a staged system. Any updates built today are built on / linked against the updates from yesterday.
If you use a perl package (that is an example name, could be any package) built against today's update set on 6.3 .. it may or may not work at all, or work correctly. It also could possibly introduce security issues never tested for because that combination is unique to your install.
I might work fine, it might be horrible.