Rocky Linux 9 + Foreman/Katello — Security errata filters break dependency consistency

Vittory003 · May 31, 2026, 11:56am

Hi everyone,

I’m facing a strange issue using Rocky Linux repositories managed through Foreman/Katello Content Views and I would like to understand whether this behavior is expected or if someone already faced a similar problem.

Environment

Rocky Linux 9.6 clients
Foreman/Katello
Repositories synchronized with Complete Mirroring
Architecture restricted to x86_64 only
Content Views filtered using errata publication date
Security updates executed with:

dnf update --security

Problem

After publishing a Content View filtered by errata date, clients start failing during security updates because some dependencies are missing even if the security advisory is available.

Example:

Error: Problem 1: cannot install the best update candidate for package libcurl-7.76.1-31.el9.x86_64 - nothing provides openssl-libs(x86-64) >= 1:3.5.1 needed by libcurl-7.76.1-40.el9.x86_64

What I found

The advisory metadata is correctly visible through:

dnf updateinfo list security all

For example:

libcurl security advisory is present
python3 security advisory is present

However some required RPMs are NOT present inside the published Content View.

Example:

advisory references openssl-libs >= 3.5.1
but openssl-libs is missing from the Content View package list

This creates an inconsistent repository state where:

security metadata exists
but dependency chain is incomplete

Additional details

Repositories are synchronized correctly and in “complete mirroring” mode.

The issue appears only when using errata date filters to freeze repositories at a specific historical date.

If I remove the errata filters and publish a full snapshot, everything works correctly.

My question

Is this expected behavior on Rocky Linux repositories?

More specifically:

are errata dates guaranteed to be dependency-consistent?
can advisory metadata reference packages whose dependencies were published later?
is filtering repositories by errata publication date unsupported/recommended against on Rocky Linux?

My goal is to maintain historical “frozen” environments while still allowing:

dnf update --security
security-only patching
dependency consistency

At the moment this seems impossible using errata-date filtering.

Any suggestion or clarification would be appreciated.

Vittory003 · June 3, 2026, 10:30am

For completeness, I also opened a discussion on the Foreman/Katello forum, and Jeremy Lenz clarified that errata date filtering does not guarantee dependency-consistent repositories and that this approach is not suitable for maintaining frozen environments while simultaneously supporting dnf update --security.

The discussion can be found here:

Topic		Replies	Views
No errata info available in rocky repositories Rocky Linux Help & Support rocky-linux-8 , rocky-linux-9	1	249	May 11, 2026
Some errata missing in comparison with RHEL and AlmaLinux Rocky Linux Help & Support	15	4372	January 12, 2022
Rocky Linux 8 Errata not updated since 5th of April Rocky Linux Help & Support	2	427	June 10, 2024
Rocky 9: no Errata Update in the repository for half a year Rocky Linux Help & Support	2	265	July 8, 2025
Will there be Errata? Rocky Linux Help & Support	20	4842	March 11, 2022