[CentOS-devel] freetype package missed in repo

Wed Aug 4 13:49:22 UTC 2021
Leon Fauster <leonfauster at googlemail.com>

On 04.08.21 14:00, Josh Boyer wrote:
> On Wed, Aug 4, 2021 at 6:14 AM Leon Fauster via CentOS-devel
> <centos-devel at centos.org> wrote:


>> Here my context: I am comparing two nodes
>> based on CS8 (Centos 8 Stream ). One have
>> freetype-2.9.1-5.el8.x86_64
>> and the other have
>> freetype-2.9.1-4.el8_3.1.x86_64
> At one point in time during RHEL 8.4 development, freetype-2.9.1-5.el8
> was set to be shipped.  However, it only fixed a CVE and that CVE was
> already fixed by the freetype-2.9.1-4.el8_3.1 that as shipped as part
> of a batch update.  There was no reason to ship a build that didn't do
> anything, so it was dropped on the RHEL side.
> My educated guess is that Stream 8 picked up the -5.el8 build during
> the course of RHEL 8.4 development as expected, and then when it was
> dropped on the RHEL side it used the -4.el8_3.1 update because that is
> indeed the latest available even today.
> This is one of the unintended consequences of how Stream 8 is produced.

Thanks for the explanation. I did not though that such activity would
come so much to the front and produce a installable artifact. But it
looks like that such dropped rpms do not have a serious impact (at least
this one).

>> The mirror
>> http://mirror.centos.org/centos/8-stream/BaseOS/x86_64/os/Packages/
>> shows freetype-2.9.1-4.el8_3.1.x86_64 has the latest.
>> I wonder where this version 2.9.1-5 is coming from? The node was
>> regularly installed with C8 and then swapped to CS8 ...


>> I see it here
>> https://koji.mbox.centos.org/koji/packageinfo?packageID=408
>> but not on the mirrors ...
>> A retired package?
> Not retired, just a build that will never be shipped at this point.

I will incorporate this insight into our plausibility checks ... Thanks.