[yum-git] docs/yum-security.8 plugins/security

James Antill james at linux.duke.edu
Mon Aug 4 14:10:03 UTC 2008 

 docs/yum-security.8          |   33 ++++++++++++++++++++++++---------
 plugins/security/security.py |   16 ++++++++++------
 2 files changed, 34 insertions(+), 15 deletions(-)

New commits:
commit 42a47f8cb0684597ca87b317ba2f49726eae7c93
Author: James Antill <james at and.org>
Date:   Mon Aug 4 10:08:53 2008 -0400

     Change the yum-security documentation to reflect the new behaviour.
       Make update-minimal default to the true updateinfo minimal case (takes
    the oldest notice data).

diff --git a/docs/yum-security.8 b/docs/yum-security.8
index 7121ec4..99491eb 100644
--- a/docs/yum-security.8
+++ b/docs/yum-security.8
@@ -10,11 +10,17 @@ This plugin extends \fByum\fP to allow lists and updates to be limited using sec
 .PP 
 added yum \fIcommand\fPs are:
 .br 
+.I \fR * update-minimal
+.PP 
+This works like the update command, but if you have the the package foo-1
+installed and have foo-2 and foo-3 available with updateinfo.xml then
+update-minimal will update you to foo-3.
+.br 
 .I \fR * info-security
 .br 
 .I \fR * list-security
 .PP 
-both of which take these \fIsub-commands\fPs are:
+both of the last two take these \fIsub-commands\fPs:
 .br 
 .I \fR * * <advisory> [advisory...]
 .br 
@@ -30,7 +36,7 @@ both of which take these \fIsub-commands\fPs are:
 Is used to display information about one or more advisories.
 .PP 
 .IP "\fBlist-sec\fP" "\fBinfo-sec\fP"
-Is used to list all of the relevant security information, from the
+Is used to list all of the relevant errata notice information, from the
 updateinfo.xml data in yum. This includes bugzillas, CVEs and security updates.
 .IP 
 .IP "\fBbugzillas / bzs\fP"
@@ -63,23 +69,33 @@ To list all updates that are security relevant, and get a reutrn code on whether
 .IP
 yum --security check-update
 .PP
-To apply updates that are security relevant use:
+To upgrade packages that have security errata (upgrades to the latest
+available package) use:
 .IP
 yum --security update
 .PP
+To upgrade packages that have security errata (upgrades to the last
+security errata package) use:
+.IP
+yum --security update-minimal
+.PP
 To get a list of all BZs that are fixed for packages you have installed use:
 .IP
-yum list-sec bugzillas
+yum list-security bugzillas
 .PP
 To get the information on advisory FEDORA-2707-4567 use:
 .IP
-yum info-sec FEDORA-2707-4567
+yum info-security FEDORA-2707-4567
 .PP
-To apply updates for Bugzillas 123, 456 and 789; and all security updates use:
+To update packages to the latest version which contain fixes for Bugzillas 123, 456 and 789; and all security updates use:
 .IP
 yum --bz 123 --bz 456 --bz 789 --security update
 .PP
-To get an info list of updates for Bugzilla 123; CVEs CVE-2207-0123 and CVE-2207-3210; and Fedora advisories FEDORA-2707-4567 and FEDORA-2707-7654 use:
+To update to the packages which just update Bugzillas 123, 456 and 789; and all security updates use:
+.IP
+yum --bz 123 --bz 456 --bz 789 --security update-minimal
+.PP
+To get an info list of the latest packages which contain fixes for Bugzilla 123; CVEs CVE-2207-0123 and CVE-2207-3210; and Fedora advisories FEDORA-2707-4567 and FEDORA-2707-7654 use:
 .IP
 yum --bz 123 --cve CVE-2207-0123 --cve CVE-2207-3210 --advisory FEDORA-2707-4567 --advisory FEDORA-2707-7654 info updates
 
@@ -96,7 +112,6 @@ James Antill <james.antill at redhat.com>.
 .fi
 
 .SH "BUGS"
-Currently yum.conf comes as default without plugins enabled, so just installing the yum security plugin will do nothing.
-There are detailed instructions on enabling plugins in the yum man page, however just putting "plugins=1" in yum.conf should just work.
+The update-minimal command ignores the --obsoletes flag.
 
 The main "problem" is that if the data is not correct the plugin cannot work correctly. For instance "--bz 123" will not fix BZ 123 if a package is updated to fix that BZ without referencing that it does so in the updateinfo.xml.
diff --git a/plugins/security/security.py b/plugins/security/security.py
index 5920517..38aceeb 100755
--- a/plugins/security/security.py
+++ b/plugins/security/security.py
@@ -332,9 +332,7 @@ class SecurityUpdateCommand:
         opts.sec_cmds = []
         used_map      = ysp_gen_used_map(opts)
 
-        # Minimal on it's own is "just security"
-        if not (opts.security or opts.advisory or opts.bz or opts.cve):
-            opts.security = True
+        ndata = not (opts.security or opts.advisory or opts.bz or opts.cve)
 
         # NOTE: Not doing obsoletes processing atm. ... maybe we should? --
         # Also worth pointing out we don't go backwards for obsoletes in the:
@@ -347,10 +345,16 @@ class SecurityUpdateCommand:
         # Tuples == (n, a, e, v, r)
         oupdates  = map(lambda x: x[1], base.up.getUpdatesTuples())
         for oldpkgtup in sorted(oupdates):
-            for (pkgtup, notice) in md_info.get_applicable_notices(oldpkgtup):
-                if extcmds and not _match_sec_cmd(extcmds, pkgtup[0], notice):
+            data = md_info.get_applicable_notices(oldpkgtup)
+            if ndata: # No options means pick the oldest update
+                data.reverse()
+
+            for (pkgtup, notice) in data:
+                name = pkgtup[0]
+                if extcmds and not _match_sec_cmd(extcmds, name, notice):
                     continue
-                if not ysp_should_filter_pkg(opts, pkgtup[0], notice, used_map):
+                if (not ndata and
+                    not ysp_should_filter_pkg(opts, name, notice, used_map)):
                     continue
                 base.update(name=pkgtup[0], arch=pkgtup[1], epoch=pkgtup[2],
                             version=pkgtup[3], release=pkgtup[4])

More information about the Yum-cvs-commits mailing list