Red Hat Bugzilla – Bug 446547
'yum --security update' considers lots of packages with no security dependencies
Last modified: 2014-01-21 18:02:34 EST
Description of problem:
When running 'yum --security update', yum will list every installed package for
which an update exists, before showing the small subset that needs to be updated
for security and security dependencies. Merely listing these updates can take a
very long time, and leads the user to believe that yum intends to update all of
With some previous versions of yum-security (don't recall which), it would
actually attempt to install all of the available updates, as though the
--security flag had no impact on the 'update' command. Upon seeing this new
behavior, a user would be inclined to give up, assuming that old bug still
existed. The only reason I noticed that the updating behavior had been fixed
was because I left it running processing the available non-security updates
while beginning to fill out this bug report.
At this point, the problem is just that yum-security is taking far more time
than it should, and leading the user to believe it's going to do something they
explicitly asked it not to do. Many users would be inclined to give up before
they'd discover that the more serious bug has actually already been fixed.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install F8 from GA media
2. yum install yum-security
3. yum --security update
Yum spends several minutes listing hundreds of packages for which non-security
updates exist. Finally it shows that it's actually only going to install a
small number of packages that need to be updated for security or security
Setting up Update Process
Limiting packages to security relevant ones
Needed 36 of 659 packages, for security
--> Running transaction check
---> Package xine-lib.x86_64 0:1.1.12-2.fc8 set to be updated
[repeat last line ~658 times, not 35 times]
The transaction check should only consider the packages marked for security
updates, and their dependencies
Forgot to mention, 'yum --security check-update' works as expected, and
completely hides non-security updates, probably because it's not doing
There is work going on wrt. the security plugin within the Fed-9 timeframe,
however the security plugin intentionally does the "exclusion" when it does so
that if you have a security update for A and A requires a new B then you'll get
both A and B installed, instead of a failure.
It's very likely that we'll have at least one new "security-update" command,
which should solve the performance problem as it'll be able to just do the work
it needs to.
Also I recently tried this with Fed-9 versions of everything, and it doesn't
act that way ... can you try Fed-9 or the recent yum/yum-security:
yum install pygpgme -y
yum --enablerepo=development install yum yum-security
...and see if it does the same thing (wondering if you have something set weird
so that it is working differently).
Fedora 9 seems to be behaving as expected. Feel free to close.
This message is a reminder that Fedora 8 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 8. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora
'version' of '8'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version prior to Fedora 8's end of life.
Bug Reporter: Thank you for reporting this issue and we are sorry that
we may not be able to fix it before Fedora 8 is end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora please change the 'version' of this
bug to the applicable version. If you are unable to change the version,
please add a comment here and someone will do it for you.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
The process we are following is described here:
Fedora 8 changed to end-of-life (EOL) status on 2009-01-07. Fedora 8 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.
If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version.
Thank you for reporting this bug and we are sorry it could not be fixed.