Enabling and disabling dnf modules can lead to 'orphaned' packages that no longer receive updates or notices of applicable CVEs or Erratas.
1) dnf module install swig
.. installs swig ..
2) dnf module disable swig
3) At this point swig RPMs are still installed
4) Errata is released for critical CVE for swig
5) host does not show CVE as applicable because the module is 'disabled'
The only way for the user to know that there is an applicable swig errata is to go back in and run:
* dnf module enable swig
As far as we can tell, there is little to no use to use dnf's 'enable/disable' module feature since you are able to install and remove directly without ever enabling and disabling, eg this works fine:
* dnf module install swig
* dnf module remove swig
We should simplify and just stick to install and remove and not have customers confused as to why errata are no longer applicable on hosts that mistakenly disabled modules and left them in an orphaned state.