Dnf security updates

Hi,

I installed my first Rocky Linux distro (Rocky Linux 9) about 6 months ago. Since then, I’ve been trying to patch regularly using dnf instead of yum. I’m used to running/patching CentOS servers so I’ve only ever used yum. But, with RL, my understanding is that I should be using dnf instead of yum to patch RL. I’m only interested in applying security updates, so I run:

dnf check-update --security 

In the past 6 months, there have been no updates to apply, so I haven’t patched it once. This doesn’t sound right, though. When I don’t add the security flag:

dnf check-update

it shows me many updates, obviously, including kernel updates. I assume that at least one of the kernel updates would be for a security reason, so I’m wondering why no updates are showing when I use the security flag. Or, am I using dnf wrong? Any suggestions/advice?

Errata is currently not supported in Rocky Linux 9. Work is being done in the build system (peridot) to support this in the future. For now you will have to run dnf update and update to full until then.

1 Like

I see it here and there; that the assumption to apply only “security” updates results in a save/secure system. As the upstream RH stated on every errata

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

IMO, this “–security” feature should be used to prioritize the task of updating the fleet and not to filter updates out.

1 Like

All the “relevant” packages are most likely not flagged “security” even on RHEL.

Overall, Enterprise Linux premise is that a major version remains usable its entire lifetime (a decade).
That means conservative feature updates, or else the premise is not kept.

It is true that on special cases Red Hat has been forced to inject more drastic changes. Those have been rare and primarily about security.

In other words, the plain dnf up regularly is the Way (and heed the advice of needs-restarting -r).

CentOS Linux never had any errata metadata, yet we did not suffer.

The yum is symlink to dnf. Same program. The yum is thus a mere backwards compatibility alias for convenience that both older documentation and user scripts are likely to refer/call.