[CentOS] yum-plugin-security

Sat Nov 22 14:00:50 UTC 2014
Johnny Hughes <johnny at centos.org>

On 11/22/2014 05:49 AM, Gabriele Pohl wrote:
> Hi all,
> 
> I have difficulties to understand the output of yum-plugin-security.
> 
> I am on a X86_64 machine and when I query for security updates, 
> yum lists i686 packages, that I don't have installed.
> 
> --------------------
> # yum check-update --security
> Loaded plugins: changelog, fastestmirror, security
> Loading mirror speeds from cached hostfile
>  * base: centos.mirror.linuxwerk.com
>  * epel: mirrors.n-ix.net
>  * extras: centos.mirror.sharkservers.co.uk
>  * updates: centos.mirror.sharkservers.co.uk
> Limiting package lists to security relevant ones
> No packages needed for security; 34 packages available
> 
> cyrus-sasl-devel.i686                          2.1.23-15.el6_6.1                 updates
> cyrus-sasl-lib.i686                            2.1.23-15.el6_6.1                 updates
> device-mapper-multipath-libs.i686              0.4.9-80.el6_6.1                  updates
> libXfont.i686                                  1.4.5-4.el6_6                     updates
> nss-softokn.i686                               3.14.3-18.el6_6                   updates
> nss-softokn-freebl.i686                        3.14.3-18.el6_6                   updates
> perl-libs.i686                                 4:5.10.1-136.el6_6.1              updates
> --------------------
> 
> I would have expected, that it will list no packages,
> as it's statement is "No packages needed for security"
> 
> When I run the query with no filtering on security relevant packages,
> it shows the X86_64 versions of the above listed packages.
> 
> Do we have a problem of inconsistent data in the repo?
> Are only the i686 packages marked with "security-update" flag?
> 
> --------------------
> # yum check-update 
> Loaded plugins: changelog, fastestmirror, security
> Loading mirror speeds from cached hostfile
>  * base: centos.mirror.linuxwerk.com
>  * epel: mirrors.n-ix.net
>  * extras: centos.mirror.sharkservers.co.uk
>  * updates: centos.mirror.sharkservers.co.uk
> 
> cyrus-sasl.x86_64                              2.1.23-15.el6_6.1                 updates
> cyrus-sasl-devel.x86_64                        2.1.23-15.el6_6.1                 updates
> cyrus-sasl-lib.x86_64                          2.1.23-15.el6_6.1                 updates
> ..
> device-mapper-multipath-libs.x86_64            0.4.9-80.el6_6.1                  updates
> ..
> libXfont.x86_64                                1.4.5-4.el6_6                     updates
> ..
> nss-softokn.x86_64                             3.14.3-18.el6_6                   updates
> nss-softokn-freebl.x86_64                      3.14.3-18.el6_6                   updates
> ..
> perl-libs.x86_64                               4:5.10.1-136.el6_6.1              updates

CentOS only tests that things work when doing all updates ... it does
not test any other grouping of packages.

In reality that is also true for upstream support as well ... see the
first line in any upstream update in the solutions section.  Here is an
example:

https://rhn.redhat.com/errata/RHSA-2014-1870.html

First line in Solution Section:

"Before applying this update, make sure all previously released errata
relevant to your system have been applied."

That does not say pick and choose errata or only install security
errata.  In reality, one should only NOT install an update if that
update causes problems.  That is any Errata update, not just security
updates.

The reason, all updates are built on a staged system.  Any updates built
today are built on / linked against the updates from yesterday.

If you use a perl package (that is an example name, could be any
package) built against today's update set on 6.3 .. it may or may not
work at all, or work correctly.  It also could possibly introduce
security issues never tested for because that combination is unique to
your install.

I might work fine, it might be horrible.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20141122/ae0e400f/attachment-0005.sig>