[Yum] Re: relationship between up2date and yum repos

jeff stern jas at uci.edu
Wed Sep 7 20:45:45 UTC 2005 

stuart, it is nice to hear that you all have decided to move poeple over 
to yum and even make GUI tools for it (though i still love the command 
line yum.. so easy to 'yum -y update'..)..

also, i would like to mention that there is currently a serious security 
bug in the gnome panel alerter icon (the "RHN alert-notification tool" 
which comes in the "rhn-applet" rpm ).. the bug can be viewed at 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160873 but has not 
been fixed or otherwise publicly announced by the fedora community 
(again, to my knowledge -- please correct me if i'm wrong on this), even 
though it is a serious security issue.

the bug is that the up2date alert icon shows the blue checkmark all the 
time -- even when in fact updates are available. therefore, people (for 
now) should be using yum (either manually, or via cron) to keep their 
systems up to date until the bug is fixed.

the bug has something to do with the setting up of remote repositories 
(repomd or some such) and the fact that up2date cannot handle it -- or 
some such -- i'm not so clear.

in any case, i (and others) view it as a potentially serious security 
issue because, since it was broken in fc4, anyone who is relying on the 
alert icon thinks they are fine, when in fact, patches are available -- 
thus leaving their system potentially open to any security issues which 
these patches would otherwise have fixed for them..

and, it is a "Catch-22" problem, since, if the up2date system thinks 
that everything is fine, then the administrator won't update. if they 
don't update, then the bug never gets fixed. if the bug never gets 
fixed, it continues to think that everything is fine..

the fact that the alert icon bug has not been publicly announced by 
redhat (or the fedora folks?) in order to notify people to use yum 
instead (or to at least list all repositories in the /etc/yum.conf file 
instead of in separate files in /etc/yum.repos.d/), is particularly 
alarming (and people have noted this in the bug itself).

More information about the Yum mailing list