Software Updates - communication, frequency, contents etc

LinuxFTW · April 19, 2023, 11:29pm

I have said multiple times now in the last three weeks “wow, that’s a lot of updating of the OS!”

So, just thought I’d ask a couple questions. (Ihave Rocky 9.1 Onyx installed)

Where do I go to see what is included in the OS update?
Why are there so many OS updates - i.e. frequency is weekly / biweekly? I find the frequency to be inconvenient if these are not emergency patches or updates

Thanks in advance for any answer to these questions.

nazunalika · April 20, 2023, 12:07am

You can view the change logs of the packages by issuing rpm -i <name> --changelog - More details of the sources are in our git.
We issue updates typically as Red Hat issues them. This can happen any day of the week (normally not on the weekends). We strive to have updates out within 24-48 hours. See our wiki for more information.

jlehtone · April 20, 2023, 5:56am

Since most updates are due to what Red Hat issues, you can also browse their erratas: Red Hat Customer Portal - Access to 24x7 support and knowledge

neil · April 20, 2023, 6:49pm

You can also find our errata at https://errata.rockylinux.org

Ritov · April 20, 2023, 7:45pm

Not criticizing just an observation - the errata are quite late updated. Speak, updates already available/installed, then days later the errata? Is this known?

neil · April 20, 2023, 9:19pm

You’re 100% right. It’s something we’re working to close the gap on. The short explanation is that there have been a lot of issues with the RH errata api in recent months and we’ve had to go back and fetch them. Along with this, we’re under way on some revisions to our build system in order to fully integrate the errata subsystem with the rest of the build and compose functions in order to make sure we keep the errata and packages in lock step. I apologize for the recent delay, as it’s been mostly due to my being spread a bit thin.

I’m posting discussions on our github repo this weekend for Peridot related to these sorts of features, and we’d love feedback about what the users want, especially w.r.t. errata. I’ll comment back here with a link to the relevant discussion(s) when they’re posted.

illuminatus · April 20, 2023, 10:02pm

In addition to checking https://errata.rockylinux.org you can do some minor investigation on the command line to determine which of all the available packages are enhancements, bugfixes or security issues as well as severity can also be investigated more closely.

Check which packages are enhancements dnf check-update --enhancement
Check which packages fix bugs with dnf check-update --bugfix.
Check which packages fix security issues with dnf check-update --security
Check the specific severity level of fixes by using one of the following severity levels dnf check-update --sec-severity [Critical|Important|Moderate|Low]

illuminatus · April 20, 2023, 10:07pm

For feedback:

I noticed that the --advisory and --cve flags didnt seem to be working w/ dnf update even when listed on https://errata.rockylinux.org. Not sure if it also related to the RH errata api changes, but I’ll go ahead and mention I would love to have both flags working for patching all packages applicable to the specific errata and cve id.

Once the discussion link is posted I’ll add comments there and any additional requests/findings.

Thanks

nazunalika · April 21, 2023, 12:26am

[root@xmpp01 ~]# dnf update --advisory RLSA-2023:1368
Last metadata expiration check: 0:41:55 ago on Thu 20 Apr 2023 04:34:44 PM MST.
Dependencies resolved.
================================================================================================================================================================
 Package                                     Architecture                    Version                                   Repository                          Size
================================================================================================================================================================
Upgrading:
 nspr                                        x86_64                          4.34.0-18.el9_1                           appstream                          135 k
 nss                                         x86_64                          3.79.0-18.el9_1                           appstream                          703 k
 nss-softokn                                 x86_64                          3.79.0-18.el9_1                           appstream                          379 k
 nss-softokn-freebl                          x86_64                          3.79.0-18.el9_1                           appstream                          330 k
 nss-sysinit                                 x86_64                          3.79.0-18.el9_1                           appstream                           20 k
 nss-tools                                   x86_64                          3.79.0-18.el9_1                           appstream                          428 k
 nss-util                                    x86_64                          3.79.0-18.el9_1                           appstream                           88 k

Transaction Summary
================================================================================================================================================================
Upgrade  7 Packages

Total download size: 2.0 M
Is this ok [y/N]: n

[root@xmpp01 ~]# dnf update --cve CVE-2023-0767
Last metadata expiration check: 0:01:25 ago on Thu 20 Apr 2023 05:19:24 PM MST.
Dependencies resolved.
================================================================================================================================================================
 Package                                     Architecture                    Version                                   Repository                          Size
================================================================================================================================================================
Upgrading:
 nspr                                        x86_64                          4.34.0-18.el9_1                           appstream                          135 k
 nss                                         x86_64                          3.79.0-18.el9_1                           appstream                          703 k
 nss-softokn                                 x86_64                          3.79.0-18.el9_1                           appstream                          379 k
 nss-softokn-freebl                          x86_64                          3.79.0-18.el9_1                           appstream                          330 k
 nss-sysinit                                 x86_64                          3.79.0-18.el9_1                           appstream                           20 k
 nss-tools                                   x86_64                          3.79.0-18.el9_1                           appstream                          428 k
 nss-util                                    x86_64                          3.79.0-18.el9_1                           appstream                           88 k

Transaction Summary
================================================================================================================================================================
Upgrade  7 Packages

Total download size: 2.0 M
Is this ok [y/N]:

Do you mean like this? There are cases where the errata is not being applied (or available immediately upstream) which causes some information to be missing/latent in our own repos. This is part of the gaps we’re trying to close by trying to update our metadata as soon as its available within a reasonable time frame.

LinuxFTW · June 16, 2023, 1:40pm

Thanks for the reply. I appreciate the answer of 'reflecting the frequency of RH releases." Makes sense!