Created attachment 1486576 [details] repro for dnf-automatic upgrading kernel packages that are version-locked and the workaround Description of problem: At work, `dnf-automatic` configured to automatically apply security updates, and also have `python3-dnf-plugin-versionlock` configured to lock kernel package versions for some users. Recently, a kernel update was released that's marked as a security update, and dnf-automatic would upgrade kernel packages even though `dnf upgrade` won't. Version-Release number of selected component (if applicable): ❯ rpm -q dnf dnf-automatic python3-dnf-plugin-versionlock dnf-2.7.5-12.fc28.noarch dnf-automatic-2.7.5-12.fc28.noarch python3-dnf-plugin-versionlock-2.1.5-4.fc28.noarch How reproducible: Always Steps to Reproduce: 1. downgrade kernel packages to 4.16.3-301.fc28 and reboot to that kernel 2. configure versionlock to lock the kernel packages 3. configure dnf-automatic to automatically install security updates 4. run dnf-automatic; verify kernel gets updated 5. downgrade kernel packages again 6. configure dnf-automatic to exclude kernel packages 7. run dnf-automatic again Actual results: step 4 upgrades kernel packages; step 7 does not Expected results: steps 4 and 7 should behave identically Additional info:
The problem is in incorrect modular filtering in dnf-2.7.5-12. It should be fixed by dnf-3.5.1 available in Fedora29+