Is there a way to apply advisory updates for security vulnerabilities in CoreOS?
You mean like you can with dnf? I’m not sure but there is rpm-ostree db diff to see difference between two commits.
I guess what I am asking is when Fedora identifies a vulnerability and releases a patch updated via DNF, is there a way to apply that patch in CoreOS?
There are two things here:
-
How we do security updates:
- When security updates are release for a package included in Fedora CoreOS, we consider whether it is important enough to make what we call an async release.
- We release an update with only those packages changes (and nothing else) to the testing stream.
- If all goes well, the stable stream then gets this update as part of the normal release cycle (at most two weeks after).
-
Replacing packages in the OS:
- If you want to update a package faster to fix a bug, you can replace any package in the OS with
rpm ostree override replace <pkg>. - You can pull updates from Koji or Bodhi directly too.
- See Release 2021.1 · coreos/rpm-ostree · GitHub.
- Don’t forget to remove the override once the package is updated in the OS. We unfortunately do not yet have a mechanism to do that automatically.
- If you want to update a package faster to fix a bug, you can replace any package in the OS with