Is it safe to remove packages from @anaconda repository?

Packages in @anaconda repository have security vulnerabilities which will be reported by our security monitoring system. Is it safe to remove all packages from @anaconda repository now that they are installer related and the os installation has already been done?

Its completely different. First, these are valid packages from baseos, appstream or other also valid repos. So, do not remove them. You would kill your installation. I see that the “tag” anaconda is confusing but its just means installed while installation. If you wanna get rid of it you could resintall those packages. I would take care package by package. For example:

dnf reinstall acl
# LANG=C dnf list acl
Last metadata expiration check: 1:55:22 ago on Tue Jul  4 13:40:23 2023.
Installed Packages
acl.x86_64                   2.3.1-3.el9                       @baseos

You should probably run a “dnf update” and all the packages from the “@anaconda” repo should be updated to more up-to-date ones and then be replaced by either @baseos or@appstream.

Nope, if no update is available then packages remains with this meta information (@anaconda as repo source) …

Can you give a couple of examples of which packages and which Rocky version because I have zero packages from @anaconda installed on my system.

Well, the system must of course have been installed via Anaconda. Right? Then you get these entries:

# dnf list all |grep @anaconda|sort |head -1
alternatives.x86_64             1.20-2.el9            @anaconda                                                

# dnf list all |grep @anaconda|wc -l

# dnf list all |grep @anaconda|sort |tail -1
zstd.x86_64                     1.5.1-2.el9           @anaconda            

I’m using Rocky version 8.7. dnf reinstall will reinstall the package using baseos repo. But it won’t be upgraded. Specifically, I want to get rid of python3-pyyaml because of CVE-2020-14343 | Vulnerability Database | Aqua Security

[root@sc2-rdops-vm05-dhcp-178-186 vts]# dnf list |grep yaml
Failed to set locale, defaulting to C.UTF-8
libyaml.x86_64                                         0.1.7-5.el8                                                @anaconda 
python3-pyyaml.x86_64                                  3.12-12.el8                                                @baseos   
libyaml.i686                                           0.1.7-5.el8                                                baseos    
python2-pyyaml.x86_64                                  3.12-16.module+el8.5.0+706+735ec4b3                        appstream 
python3.11-pyyaml.x86_64                               6.0-1.el8                                                  appstream 
python38-pyyaml.x86_64                                 5.4.1-1.module+el8.5.0+672+ab6eb015                        appstream 
python39-pyyaml.x86_64                                 5.4.1-1.module+el8.5.0+673+10283621                        appstream
[root@sc2-rdops-vm05-dhcp-178-186 vts]# dnf upgrade python3-pyyaml
Failed to set locale, defaulting to C.UTF-8
Last metadata expiration check: 1:31:11 ago on Tue Jul  4 20:21:20 2023.
Dependencies resolved.
Nothing to do.

The version for python(36) - python3-pyyaml ist not affected. BTW, your scanner can not compare the version strings directly because EL rebuilds do have there own git-tags for rpm modules versioning (e.g. 5.4.1-1.module+el8.5.0+672+ab6eb015). And if you consider security as important, you should do

yum clean all; yum update

to update to the latest state of RL → 8.8.

Thank you for reply. We’ve decided to try latest version of rocky linux. It has much fewer vulnerabilities detected by our scanner.

What version were you running?