1243790 – [rfe] Plugin to check and warn about orphaned/packages with security issues

Bug 1243790 - [rfe] Plugin to check and warn about orphaned/packages with security issues

Summary: [rfe] Plugin to check and warn about orphaned/packages with security issues

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	dnf-plugins-extras
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	unspecified
Target Milestone:	---
Assignee:	rpm-software-management
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-07-16 10:09 UTC by Stefan Cornelius
Modified:	2023-08-22 07:37 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-08-22 07:37:17 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Stefan Cornelius 2015-07-16 10:09:45 UTC

Description of problem:
It's possible that packages reach a dangerous state and are orphaned due to unavailable/unresponsive maintainers or security issues. The administrator is not always aware of such problems.

This is a RFE for a dnf plugin, which will help in such cases by identifying those dangerous packages and warning the user about them. A very rough description is available in https://sparkslinux.wordpress.com/2015/03/26/for-discussion-orphaned-package-in-fedora/ "The idea" part.

I'd like to hear your opinion about this, especially with regards to implementation details like file format or possible problems you anticipate.

Comment 4 Honza Silhan 2015-08-12 11:50:04 UTC

Stephan, can you please answer if oyu are willing to work on this (and reuse the Michal's research) or not? Otherwise I am giving it a low prio with little no to change of having it done.

Comment 5 Stefan Cornelius 2015-08-12 12:31:17 UTC

Sorry! I can't tell you right now if I'll be able to implement this. It depends on whether or not I can get this approved as a "personal goal", but I would estimate that this is at least a quarter year away. I could ask around if somebody else from the Fedora Security Team can do this earlier.

Creating a basic prototype checking the NVR of a single package using operators like <, >, <=, >=, == shouldn't be too hard. But I assume that there are corner cases that will likely need to operate on more than one package at a time with logic operators like AND and OR. Especially with libraries and other dependencies things will then become complicated quite quickly.

I'm not sure if we should figure all of this out beforehand, or if we should use the simplest working thing and extend it as we go.

Comment 6 Igor Gnatenko 2015-12-12 19:26:29 UTC

Nice to have...

Comment 7 Fedora Admin XMLRPC Client 2016-07-21 12:40:24 UTC

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 8 Jaroslav Mracek 2023-08-22 07:37:17 UTC

I believe that the request is blocked by absence of database or metadata that would contain information about problematic packages. In several cases the requested plugin could be replaced by updateinfo command. If the package has a security issue then updateinfo metadata could mention that. I am really sorry but I don't think that the feature is deliverable.

PS: delivering information about broken packages in RPM would be not practical, because data installed could get outdated very easily - install operation uses metadata, but information about problems would be available after install.

Note You need to log in before you can comment on or make changes to this bug.