Enabling and disabling dnf modules can lead to 'orphaned' packages that no longer receive updates or notices of applicable CVEs or Erratas.
1) dnf module install swig
.. installs swig ..
2) dnf module disable swig
3) At this point swig RPMs are still installed
4) Errata is released for critical CVE for swig
5) host does not show CVE as applicable because the module is 'disabled'
The only way for the user to know that there is an applicable swig errata is to go back in and run:
* dnf module enable swig
As far as we can tell, there is little to no use to use dnf's 'enable/disable' module feature since you are able to install and remove directly without ever enabling and disabling, eg this works fine:
* dnf module install swig
* dnf module remove swig
We should simplify and just stick to install and remove and not have customers confused as to why errata are no longer applicable on hosts that mistakenly disabled modules and left them in an orphaned state.
Upon review of our valid but aging backlog the Satellite Team has concluded that this Bugzilla does not meet the criteria for a resolution in the near term, and are planning to close in approximately a month. If you have any concerns about this, please contact your Red Hat Account team. Thank you.
Thank you for your interest in Satellite 6. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this, please do not reopen. Instead, feel free to contact your Red Hat Account Team. Thank you.