<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 7/9/19 3:19 PM, Akemi Yagi wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CABA31Dpyf0qaaeew9s761_G8wWZTe550B+PjwMURPOTG8smJxw@mail.gmail.com">
<pre class="moz-quote-pre" wrap="">On Tue, Jul 9, 2019 at 8:54 AM Pat Riehecky <a class="moz-txt-link-rfc2396E" href="mailto:riehecky@fnal.gov"><riehecky@fnal.gov></a> wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">
Would the ELRepo project be open to providing a limited updateinfo for
ELRepo 8?
There is a fairly viable python library[1] for building and managing the
XML file. In theory this would permit folks using ELRepo to easily
install security errata (and get notifications from PackageKit about
missing ones).
I'd be happy to assist getting this off the ground.
Pat
[1] <a class="moz-txt-link-freetext" href="https://urldefense.proofpoint.com/v2/url?u=https-3A__pagure.io_python-2DUpdateinfo&d=DwICAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=OAMtP0DWou0nlXG7Kmxo2enjXJfwb1DXS9fwcaESuTE&m=LBLCgToPbzzUo9ulP_-bul1Qh7dhe35Nipnrb64Yf50&s=umHJ3s6jcJgesSF_jq1NZW4g9yDOmxwvn84ZsWgKXLs&e=">https://urldefense.proofpoint.com/v2/url?u=https-3A__pagure.io_python-2DUpdateinfo&d=DwICAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=OAMtP0DWou0nlXG7Kmxo2enjXJfwb1DXS9fwcaESuTE&m=LBLCgToPbzzUo9ulP_-bul1Qh7dhe35Nipnrb64Yf50&s=umHJ3s6jcJgesSF_jq1NZW4g9yDOmxwvn84ZsWgKXLs&e=</a>
--
Pat Riehecky
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
Hi Pat,
Thanks for your suggestion and offer to help. Due to my lack of
complete knowledge of the subject, I need to ask a question.
We don't differentiate between security/bug fix updates - we support
the latest package release only, so users of elrepo should generally
update to the latest version of which ever package(s) they may be
using. In this situation how would the updateinfo benefit elrepo?
Again pardon my ignorance. :( :)
Akemi
_______________________________________________
elrepo mailing list
<a class="moz-txt-link-abbreviated" href="mailto:elrepo@lists.elrepo.org">elrepo@lists.elrepo.org</a>
</pre>
</blockquote>
<br>
No worries :)<br>
<br>
There are a few ways updateinfo could assist with things.<br>
<br>
Part of the XML requires a publication date. This could help with
tracking down when a package was built for possible ABI breakage. I
also use it to track how often a given package is updated.[2]<br>
<br>
There is a section where you can list related tickets for a given
update. This could be handy for tracking a package back to the
original request.<br>
<br>
One of the biggest uses is the distinction between security and
non-security packages. Admittedly I'm looking back a bit, but the
nvidia kmod <span class="pl-c1">295.40-1.el6.elrepo (</span><span
class="pl-c">CVE-2012-0946) was a bit scary. Folks following the
announcements knew what to do, and folks that installed the latest
packages were fine. But folks that were not subscribed to the
list may not have been aware of the need to update.<br>
<br>
</span><span class="pl-c"><span class="pl-c">I'm a firm believer in
install all the updates, but alas not all folks do. Generally
folks break down into two camps : Users and Business.<br>
<br>
</span>With the metadata for an RPM tagged as a security update in
EL8, PackageKit and GnomeSoftware nag a normal user about the
missing security fix - I find this nag eventually forces the
issue. </span>From a "big business" process perspective, it can
be easier to justify a change ticket for packages that are tagged as
being security fixes.[3]<br>
<br>
I'm not clear that ELRepo has (or needs) any commitment to do
security tracking of packages. And I'm not sure how much of a
problem it would be if things were tagged by default as "not
security"[4] (unless you are releasing it because it is security)
and changed to 'security' if it is discovered to be a security fix.
This would be a really nice feature for folks using Katello/Sat6.<br>
<br>
So I guess my follow up question is: would these possible benefits
be worth reviewing for the ELRepo workflow?<br>
<br>
Or put another way, would there be a benefit to the project with
some of the enhanced data visibility this would present?<br>
<br>
Pat<br>
<br>
<br>
[2]<br>
For example, with the XSL I've got click on the update id for an
update in<br>
: WARNING 25MB XML PAGE LOAD : <br>
<a class="moz-txt-link-freetext" href="http://ftp.scientificlinux.org/linux/scientific/7x/x86_64/os/repodata/updateinfo.xml">http://ftp.scientificlinux.org/linux/scientific/7x/x86_64/os/repodata/updateinfo.xml</a><br>
<br>
I'd estimate ELRepo 7 right now would be in the 18k size range.<br>
<br>
[3] Katello/Sat6 has a specific workflow in place to promote
security errata or really any errata that is listed in an
updateinfo. And another that lists outstanding updateinfo errata.
Packages not listed in an updateinfo.xml are not listed as "errata"
and not subject to this workflow.<br>
<br>
If you are curious about this : <br>
<a class="moz-txt-link-freetext" href="https://www.theforeman.org/plugins/katello/3.12/user_guide/errata/index.html">https://www.theforeman.org/plugins/katello/3.12/user_guide/errata/index.html</a><br>
<a class="moz-txt-link-freetext" href="https://access.redhat.com/documentation/en-us/red_hat_satellite/6.5/html/managing_hosts/chap-red_hat_satellite-managing_hosts-configuring_host_collections#sect-Red_Hat_Satellite-Managing_Hosts-Adding_Errata_to_a_Host_Collection">https://access.redhat.com/documentation/en-us/red_hat_satellite/6.5/html/managing_hosts/chap-red_hat_satellite-managing_hosts-configuring_host_collections#sect-Red_Hat_Satellite-Managing_Hosts-Adding_Errata_to_a_Host_Collection</a><br>
<br>
[4] There are a bunch of types recognized by PackageKit beyond what
RH uses<br>
<a class="moz-txt-link-freetext" href="https://pagure.io/python-Updateinfo/blob/master/f/docs/updateinfo.xsd#_148">https://pagure.io/python-Updateinfo/blob/master/f/docs/updateinfo.xsd#_148</a><br>
<br>
Perhaps ELRepo could use newpackage, errata, and security ?<br>
<br>
<br>
<pre class="moz-signature" cols="72">--
Pat Riehecky
Fermi National Accelerator Laboratory
<a class="moz-txt-link-abbreviated" href="http://www.fnal.gov">www.fnal.gov</a>
<a class="moz-txt-link-abbreviated" href="http://www.scientificlinux.org">www.scientificlinux.org</a></pre>
</body>
</html>