Bug 446547 - 'yum --security update' considers lots of packages with no security dependencies
'yum --security update' considers lots of packages with no security dependencies
Product: Fedora
Classification: Fedora
Component: yum-utils (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: James Antill
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-05-14 20:57 EDT by Chris Snook
Modified: 2014-01-21 18:02 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-01-09 02:48:53 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Chris Snook 2008-05-14 20:57:43 EDT
Description of problem:
When running 'yum --security update', yum will list every installed package for
which an update exists, before showing the small subset that needs to be updated
for security and security dependencies.  Merely listing these updates can take a
very long time, and leads the user to believe that yum intends to update all of
those packages.

With some previous versions of yum-security (don't recall which), it would
actually attempt to install all of the available updates, as though the
--security flag had no impact on the 'update' command.  Upon seeing this new
behavior, a user would be inclined to give up, assuming that old bug still
existed.  The only reason I noticed that the updating behavior had been fixed
was because I left it running processing the available non-security updates
while beginning to fill out this bug report.

At this point, the problem is just that yum-security is taking far more time
than it should, and leading the user to believe it's going to do something they
explicitly asked it not to do.  Many users would be inclined to give up before
they'd discover that the more serious bug has actually already been fixed.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install F8 from GA media
2. yum install yum-security
3. yum --security update
Actual results:
Yum spends several minutes listing hundreds of packages for which non-security
updates exist.  Finally it shows that it's actually only going to install a
small number of packages that need to be updated for security or security

Setting up Update Process
Resolving Dependencies
Limiting packages to security relevant ones
Needed 36 of 659 packages, for security
--> Running transaction check
---> Package xine-lib.x86_64 0:1.1.12-2.fc8 set to be updated
[repeat last line ~658 times, not 35 times]

Expected results:
The transaction check should only consider the packages marked for security
updates, and their dependencies
Comment 1 Chris Snook 2008-05-14 21:04:02 EDT
Forgot to mention, 'yum --security check-update' works as expected, and
completely hides non-security updates, probably because it's not doing
dependency resolution.
Comment 2 James Antill 2008-05-21 11:53:36 EDT
 There is work going on wrt. the security plugin within the Fed-9 timeframe,
however the security plugin intentionally does the "exclusion" when it does so
that if you have a security update for A and A requires a new B then you'll get
both A and B installed, instead of a failure.

 It's very likely that we'll have at least one new "security-update" command,
which should solve the performance problem as it'll be able to just do the work
it needs to.
Comment 3 James Antill 2008-06-12 15:32:47 EDT
 Also I recently tried this with Fed-9 versions of everything, and it doesn't
act that way ... can you try Fed-9 or the recent yum/yum-security:

yum install pygpgme -y
yum --enablerepo=development install yum yum-security

...and see if it does the same thing (wondering if you have something set weird
so that it is working differently).
Comment 4 Chris Snook 2008-10-06 16:55:30 EDT
Fedora 9 seems to be behaving as expected.  Feel free to close.
Comment 5 Bug Zapper 2008-11-26 05:42:35 EST
This message is a reminder that Fedora 8 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 8.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '8'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 8's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 8 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
Comment 6 Bug Zapper 2009-01-09 02:48:53 EST
Fedora 8 changed to end-of-life (EOL) status on 2009-01-07. Fedora 8 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.