Applying advisory updates

Is there a way to apply advisory updates for security vulnerabilities in CoreOS?

You mean like you can with dnf? I’m not sure but there is rpm-ostree db diff to see difference between two commits.

I guess what I am asking is when Fedora identifies a vulnerability and releases a patch updated via DNF, is there a way to apply that patch in CoreOS?

There are two things here:

  1. How we do security updates:

    • When security updates are release for a package included in Fedora CoreOS, we consider whether it is important enough to make what we call an async release.
    • We release an update with only those packages changes (and nothing else) to the testing stream.
    • If all goes well, the stable stream then gets this update as part of the normal release cycle (at most two weeks after).
  2. Replacing packages in the OS:

    • If you want to update a package faster to fix a bug, you can replace any package in the OS with rpm ostree override replace <pkg>.
    • You can pull updates from Koji or Bodhi directly too.
    • See Release 2021.1 · coreos/rpm-ostree · GitHub.
    • Don’t forget to remove the override once the package is updated in the OS. We unfortunately do not yet have a mechanism to do that automatically.