Is it safe to remove packages from @anaconda repository?

lbaogui · July 4, 2023, 10:19am

Packages in @anaconda repository have security vulnerabilities which will be reported by our security monitoring system. Is it safe to remove all packages from @anaconda repository now that they are installer related and the os installation has already been done?

Ritov · July 4, 2023, 1:36pm

Its completely different. First, these are valid packages from baseos, appstream or other also valid repos. So, do not remove them. You would kill your installation. I see that the “tag” anaconda is confusing but its just means installed while installation. If you wanna get rid of it you could resintall those packages. I would take care package by package. For example:

dnf reinstall acl

# LANG=C dnf list acl
Last metadata expiration check: 1:55:22 ago on Tue Jul  4 13:40:23 2023.
Installed Packages
acl.x86_64                   2.3.1-3.el9                       @baseos

Cphusion · July 4, 2023, 2:55pm

You should probably run a “dnf update” and all the packages from the “@anaconda” repo should be updated to more up-to-date ones and then be replaced by either @baseos or@appstream.

Ritov · July 4, 2023, 6:06pm

Nope, if no update is available then packages remains with this meta information (@anaconda as repo source) …

Cphusion · July 4, 2023, 6:19pm

Can you give a couple of examples of which packages and which Rocky version because I have zero packages from @anaconda installed on my system.

Ritov · July 4, 2023, 8:22pm

Well, the system must of course have been installed via Anaconda. Right? Then you get these entries:

# dnf list all |grep @anaconda|sort |head -1
alternatives.x86_64             1.20-2.el9            @anaconda                                                

# dnf list all |grep @anaconda|wc -l
254

# dnf list all |grep @anaconda|sort |tail -1
zstd.x86_64                     1.5.1-2.el9           @anaconda

lbaogui · July 5, 2023, 1:55am

I’m using Rocky version 8.7. dnf reinstall will reinstall the package using baseos repo. But it won’t be upgraded. Specifically, I want to get rid of python3-pyyaml because of CVE-2020-14343 | Vulnerability Database | Aqua Security

[root@sc2-rdops-vm05-dhcp-178-186 vts]# dnf list |grep yaml
Failed to set locale, defaulting to C.UTF-8
libyaml.x86_64                                         0.1.7-5.el8                                                @anaconda 
python3-pyyaml.x86_64                                  3.12-12.el8                                                @baseos   
libyaml.i686                                           0.1.7-5.el8                                                baseos    
python2-pyyaml.x86_64                                  3.12-16.module+el8.5.0+706+735ec4b3                        appstream 
python3.11-pyyaml.x86_64                               6.0-1.el8                                                  appstream 
python38-pyyaml.x86_64                                 5.4.1-1.module+el8.5.0+672+ab6eb015                        appstream 
python39-pyyaml.x86_64                                 5.4.1-1.module+el8.5.0+673+10283621                        appstream

[root@sc2-rdops-vm05-dhcp-178-186 vts]# dnf upgrade python3-pyyaml
Failed to set locale, defaulting to C.UTF-8
Last metadata expiration check: 1:31:11 ago on Tue Jul  4 20:21:20 2023.
Dependencies resolved.
Nothing to do.
Complete!

Ritov · July 5, 2023, 9:18am

The version for python(36) - python3-pyyaml ist not affected. BTW, your scanner can not compare the version strings directly because EL rebuilds do have there own git-tags for rpm modules versioning (e.g. 5.4.1-1.module+el8.5.0+672+ab6eb015). And if you consider security as important, you should do

yum clean all; yum update

to update to the latest state of RL → 8.8.

lbaogui · July 5, 2023, 9:40am

Thank you for reply. We’ve decided to try latest version of rocky linux. It has much fewer vulnerabilities detected by our scanner.

Cphusion · July 5, 2023, 11:20am

What version were you running?