[yum-git] docs/yum-security.8 plugins/security
James Antill
james at linux.duke.edu
Mon Aug 4 14:10:03 UTC 2008
docs/yum-security.8 | 33 ++++++++++++++++++++++++---------
plugins/security/security.py | 16 ++++++++++------
2 files changed, 34 insertions(+), 15 deletions(-)
New commits:
commit 42a47f8cb0684597ca87b317ba2f49726eae7c93
Author: James Antill <james at and.org>
Date: Mon Aug 4 10:08:53 2008 -0400
Change the yum-security documentation to reflect the new behaviour.
Make update-minimal default to the true updateinfo minimal case (takes
the oldest notice data).
diff --git a/docs/yum-security.8 b/docs/yum-security.8
index 7121ec4..99491eb 100644
--- a/docs/yum-security.8
+++ b/docs/yum-security.8
@@ -10,11 +10,17 @@ This plugin extends \fByum\fP to allow lists and updates to be limited using sec
.PP
added yum \fIcommand\fPs are:
.br
+.I \fR * update-minimal
+.PP
+This works like the update command, but if you have the the package foo-1
+installed and have foo-2 and foo-3 available with updateinfo.xml then
+update-minimal will update you to foo-3.
+.br
.I \fR * info-security
.br
.I \fR * list-security
.PP
-both of which take these \fIsub-commands\fPs are:
+both of the last two take these \fIsub-commands\fPs:
.br
.I \fR * * <advisory> [advisory...]
.br
@@ -30,7 +36,7 @@ both of which take these \fIsub-commands\fPs are:
Is used to display information about one or more advisories.
.PP
.IP "\fBlist-sec\fP" "\fBinfo-sec\fP"
-Is used to list all of the relevant security information, from the
+Is used to list all of the relevant errata notice information, from the
updateinfo.xml data in yum. This includes bugzillas, CVEs and security updates.
.IP
.IP "\fBbugzillas / bzs\fP"
@@ -63,23 +69,33 @@ To list all updates that are security relevant, and get a reutrn code on whether
.IP
yum --security check-update
.PP
-To apply updates that are security relevant use:
+To upgrade packages that have security errata (upgrades to the latest
+available package) use:
.IP
yum --security update
.PP
+To upgrade packages that have security errata (upgrades to the last
+security errata package) use:
+.IP
+yum --security update-minimal
+.PP
To get a list of all BZs that are fixed for packages you have installed use:
.IP
-yum list-sec bugzillas
+yum list-security bugzillas
.PP
To get the information on advisory FEDORA-2707-4567 use:
.IP
-yum info-sec FEDORA-2707-4567
+yum info-security FEDORA-2707-4567
.PP
-To apply updates for Bugzillas 123, 456 and 789; and all security updates use:
+To update packages to the latest version which contain fixes for Bugzillas 123, 456 and 789; and all security updates use:
.IP
yum --bz 123 --bz 456 --bz 789 --security update
.PP
-To get an info list of updates for Bugzilla 123; CVEs CVE-2207-0123 and CVE-2207-3210; and Fedora advisories FEDORA-2707-4567 and FEDORA-2707-7654 use:
+To update to the packages which just update Bugzillas 123, 456 and 789; and all security updates use:
+.IP
+yum --bz 123 --bz 456 --bz 789 --security update-minimal
+.PP
+To get an info list of the latest packages which contain fixes for Bugzilla 123; CVEs CVE-2207-0123 and CVE-2207-3210; and Fedora advisories FEDORA-2707-4567 and FEDORA-2707-7654 use:
.IP
yum --bz 123 --cve CVE-2207-0123 --cve CVE-2207-3210 --advisory FEDORA-2707-4567 --advisory FEDORA-2707-7654 info updates
@@ -96,7 +112,6 @@ James Antill <james.antill at redhat.com>.
.fi
.SH "BUGS"
-Currently yum.conf comes as default without plugins enabled, so just installing the yum security plugin will do nothing.
-There are detailed instructions on enabling plugins in the yum man page, however just putting "plugins=1" in yum.conf should just work.
+The update-minimal command ignores the --obsoletes flag.
The main "problem" is that if the data is not correct the plugin cannot work correctly. For instance "--bz 123" will not fix BZ 123 if a package is updated to fix that BZ without referencing that it does so in the updateinfo.xml.
diff --git a/plugins/security/security.py b/plugins/security/security.py
index 5920517..38aceeb 100755
--- a/plugins/security/security.py
+++ b/plugins/security/security.py
@@ -332,9 +332,7 @@ class SecurityUpdateCommand:
opts.sec_cmds = []
used_map = ysp_gen_used_map(opts)
- # Minimal on it's own is "just security"
- if not (opts.security or opts.advisory or opts.bz or opts.cve):
- opts.security = True
+ ndata = not (opts.security or opts.advisory or opts.bz or opts.cve)
# NOTE: Not doing obsoletes processing atm. ... maybe we should? --
# Also worth pointing out we don't go backwards for obsoletes in the:
@@ -347,10 +345,16 @@ class SecurityUpdateCommand:
# Tuples == (n, a, e, v, r)
oupdates = map(lambda x: x[1], base.up.getUpdatesTuples())
for oldpkgtup in sorted(oupdates):
- for (pkgtup, notice) in md_info.get_applicable_notices(oldpkgtup):
- if extcmds and not _match_sec_cmd(extcmds, pkgtup[0], notice):
+ data = md_info.get_applicable_notices(oldpkgtup)
+ if ndata: # No options means pick the oldest update
+ data.reverse()
+
+ for (pkgtup, notice) in data:
+ name = pkgtup[0]
+ if extcmds and not _match_sec_cmd(extcmds, name, notice):
continue
- if not ysp_should_filter_pkg(opts, pkgtup[0], notice, used_map):
+ if (not ndata and
+ not ysp_should_filter_pkg(opts, name, notice, used_map)):
continue
base.update(name=pkgtup[0], arch=pkgtup[1], epoch=pkgtup[2],
version=pkgtup[3], release=pkgtup[4])
More information about the Yum-cvs-commits
mailing list