It sounds like there's agreement that Satellite can just negative-commit the change as part of the normal cherry-pick process. Justin, is that your understanding? Can I close the uptream issue?

Yes, that is my understanding.  We just need to revert https://github.com/pulp/pulp_rpm/pull/872/

The Pulp upstream bug status is at CLOSED - WONTFIX. Updating the external tracker on this bug.

The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.

Try to apply an errata through satellite via katello-agent (not Remote exeuction) on an RHEL 6 client that does not have the 'yum-plugin-security' package installed. 

If the patch is not reverted this will fail.

Verified in Satellite 6.2.3 Snap 3. Errata install was successful on a rhel 6.8 via katello-agent on a machine without the yum-plugin-security package.

[root@gizmo ~]# rpm -qa | grep yum-plugin-security
[root@gizmo ~]#
[root@gizmo ~]# rpm -qa | grep initscripts
initscripts-9.03.53-1.el6_8.1.x86_64
[root@gizmo ~]# lsb_release -a
LSB Version:	:base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
Distributor ID:	RedHatEnterpriseServer
Description:	Red Hat Enterprise Linux Server release 6.8 (Santiago)
Release:	6.8
Codename:	Santiago


see attached image for errata install success.

Created attachment 1209643 [details]
verification screenshot

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:2108