[elrepo] Updateinfo for ELRepo 8?

Pat Riehecky riehecky at fnal.gov
Tue Jul 9 17:05:19 EDT 2019 


On 7/9/19 3:19 PM, Akemi Yagi wrote:
> On Tue, Jul 9, 2019 at 8:54 AM Pat Riehecky <riehecky at fnal.gov> wrote:
>> Would the ELRepo project be open to providing a limited updateinfo for
>> ELRepo 8?
>>
>> There is a fairly viable python library[1] for building and managing the
>> XML file.  In theory this would permit folks using ELRepo to easily
>> install security errata (and get notifications from PackageKit about
>> missing ones).
>>
>> I'd be happy to assist getting this off the ground.
>>
>> Pat
>>
>> [1] https://urldefense.proofpoint.com/v2/url?u=https-3A__pagure.io_python-2DUpdateinfo&d=DwICAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=OAMtP0DWou0nlXG7Kmxo2enjXJfwb1DXS9fwcaESuTE&m=LBLCgToPbzzUo9ulP_-bul1Qh7dhe35Nipnrb64Yf50&s=umHJ3s6jcJgesSF_jq1NZW4g9yDOmxwvn84ZsWgKXLs&e=
>>
>> --
>> Pat Riehecky
> Hi Pat,
>
> Thanks for your suggestion and offer to help. Due to my lack of
> complete knowledge of the subject, I need to ask a question.
>
> We don't differentiate between security/bug fix updates - we support
> the latest package release only, so users of elrepo should generally
> update to the latest version of which ever package(s) they may be
> using. In this situation how would the updateinfo benefit elrepo?
>
> Again pardon my ignorance.  :(  :)
>
> Akemi
> _______________________________________________
> elrepo mailing list
> elrepo at lists.elrepo.org
>

No worries :)

There are a few ways updateinfo could assist with things.

Part of the XML requires a publication date.  This could help with 
tracking down when a package was built for possible ABI breakage.  I 
also use it to track how often a given package is updated.[2]

There is a section where you can list related tickets for a given 
update.  This could be handy for tracking a package back to the original 
request.

One of the biggest uses is the distinction between security and 
non-security packages.  Admittedly I'm looking back a bit, but the 
nvidia kmod 295.40-1.el6.elrepo (CVE-2012-0946) was a bit scary.  Folks 
following the announcements knew what to do, and folks that installed 
the latest packages were fine.  But folks that were not subscribed to 
the list may not have been aware of the need to update.

I'm a firm believer in install all the updates, but alas not all folks 
do.  Generally folks break down into two camps : Users and Business.

With the metadata for an RPM tagged as a security update in EL8, 
PackageKit and GnomeSoftware nag a normal user about the missing 
security fix - I find this nag eventually forces the issue. From a "big 
business" process perspective, it can be easier to justify a change 
ticket for packages that are tagged as being security fixes.[3]

I'm not clear that ELRepo has (or needs) any commitment to do security 
tracking of packages.  And I'm not sure how much of a problem it would 
be if things were tagged by default as "not security"[4] (unless you are 
releasing it because it is security) and changed to 'security' if it is 
discovered to be a security fix. This would be a really nice feature for 
folks using Katello/Sat6.

So I guess my follow up question is: would these possible benefits be 
worth reviewing for the ELRepo workflow?

Or put another way, would there be a benefit to the project with some of 
the enhanced data visibility this would present?

Pat


[2]
For example, with the XSL I've got click on the update id for an update in
  : WARNING 25MB XML PAGE LOAD :
http://ftp.scientificlinux.org/linux/scientific/7x/x86_64/os/repodata/updateinfo.xml

I'd estimate ELRepo 7 right now would be in the 18k size range.

[3] Katello/Sat6 has a specific workflow in place to promote security 
errata or really any errata that is listed in an updateinfo.  And 
another that lists outstanding updateinfo errata. Packages not listed in 
an updateinfo.xml are not listed as "errata" and not subject to this 
workflow.

If you are curious about this :
  https://www.theforeman.org/plugins/katello/3.12/user_guide/errata/index.html
  https://access.redhat.com/documentation/en-us/red_hat_satellite/6.5/html/managing_hosts/chap-red_hat_satellite-managing_hosts-configuring_host_collections#sect-Red_Hat_Satellite-Managing_Hosts-Adding_Errata_to_a_Host_Collection

[4] There are a bunch of types recognized by PackageKit beyond what RH uses
https://pagure.io/python-Updateinfo/blob/master/f/docs/updateinfo.xsd#_148

Perhaps ELRepo could use newpackage, errata, and security ?


-- 
Pat Riehecky

Fermi National Accelerator Laboratory
www.fnal.gov
www.scientificlinux.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.elrepo.org/pipermail/elrepo/attachments/20190709/06f8ff2c/attachment.html>

More information about the elrepo mailing list