Bug 1243790

Summary: [rfe] Plugin to check and warn about orphaned/packages with security issues
Product: [Fedora] Fedora Reporter: Stefan Cornelius <scorneli>
Component: dnf-plugins-extrasAssignee: rpm-software-management
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: low    
Version: rawhideCC: jkadlcik, jzeleny, packaging-team-maint, scorneli, tim.lauridsen, vmukhame
Target Milestone: ---Keywords: FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-22 07:37:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stefan Cornelius 2015-07-16 10:09:45 UTC 
Description of problem:
It's possible that packages reach a dangerous state and are orphaned due to unavailable/unresponsive maintainers or security issues. The administrator is not always aware of such problems.

This is a RFE for a dnf plugin, which will help in such cases by identifying those dangerous packages and warning the user about them. A very rough description is available in https://sparkslinux.wordpress.com/2015/03/26/for-discussion-orphaned-package-in-fedora/ "The idea" part.

I'd like to hear your opinion about this, especially with regards to implementation details like file format or possible problems you anticipate.
Comment 4 Honza Silhan 2015-08-12 11:50:04 UTC 
Stephan, can you please answer if oyu are willing to work on this (and reuse the Michal's research) or not? Otherwise I am giving it a low prio with little no to change of having it done.
Comment 5 Stefan Cornelius 2015-08-12 12:31:17 UTC 
Sorry! I can't tell you right now if I'll be able to implement this. It depends on whether or not I can get this approved as a "personal goal", but I would estimate that this is at least a quarter year away. I could ask around if somebody else from the Fedora Security Team can do this earlier.

Creating a basic prototype checking the NVR of a single package using operators like <, >, <=, >=, == shouldn't be too hard. But I assume that there are corner cases that will likely need to operate on more than one package at a time with logic operators like AND and OR. Especially with libraries and other dependencies things will then become complicated quite quickly.

I'm not sure if we should figure all of this out beforehand, or if we should use the simplest working thing and extend it as we go.
Comment 6 Igor Gnatenko 2015-12-12 19:26:29 UTC 
Nice to have...
Comment 7 Fedora Admin XMLRPC Client 2016-07-21 12:40:24 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 8 Jaroslav Mracek 2023-08-22 07:37:17 UTC 
I believe that the request is blocked by absence of database or metadata that would contain information about problematic packages. In several cases the requested plugin could be replaced by updateinfo command. If the package has a security issue then updateinfo metadata could mention that. I am really sorry but I don't think that the feature is deliverable.

PS: delivering information about broken packages in RPM would be not practical, because data installed could get outdated very easily - install operation uses metadata, but information about problems would be available after install.