How does dnf --security decide what to display?

I have what I hope is a simple question, but I’m struggling to find an answer when looking through man pages etc.

When I run dnf transactions with the --security flag, I seem to get different opinions from DNF on what updates actually count as far as “security” is concerned.

The easiest way to get this point across is just to demo it:

dnf list --security --upgrades shows no upgrades available

# sudo dnf list --security --upgrades
Last metadata expiration check: 2:28:20 ago on Sat 18 Dec 2021 21:44:15 GMT.
No security updates needed, but 26 updates available

manually starting dnf-automatic doesn’t show any upgrades either
(I have dnf-automatic configured to only install security upgrades)

Dec 19 00:15:01 X240 systemd[1]: Starting dnf automatic...
Dec 19 00:15:03 X240 dnf-automatic[1072373]: Last metadata expiration check: 2:30:48 ago on Sat 18 Dec 2021 21:44:15 GMT.
Dec 19 00:15:03 X240 dnf-automatic[1072373]: No security updates needed, but 26 updates available
Dec 19 00:15:04 X240 systemd[1]: dnf-automatic.service: Deactivated successfully.
Dec 19 00:15:04 X240 systemd[1]: Finished dnf automatic.

dnf upgrade --security doesn’t install anything

sudo dnf upgrade --security
Last metadata expiration check: 2:33:44 ago on Sat 18 Dec 2021 21:44:15 GMT.
Dependencies resolved.
Nothing to do.
Complete!

— BUT —

dnf updateinfo --security shows one security notice

# sudo dnf updateinfo --security
Last metadata expiration check: 2:30:04 ago on Sat 18 Dec 2021 21:44:15 GMT.
Updates Information Summary: available
    1 Security notice(s)
        1 Moderate Security notice(s)

dnf updateinfo list --security shows the 4 package upgrades that can satisfy the notice

# sudo dnf updateinfo list --security
Last metadata expiration check: 2:29:24 ago on Sat 18 Dec 2021 21:44:15 GMT.
FEDORA-2021-c09b851eb0 Moderate/Sec. kernel-5.15.4-201.fc35.x86_64
FEDORA-2021-c09b851eb0 Moderate/Sec. kernel-core-5.15.4-201.fc35.x86_64
FEDORA-2021-c09b851eb0 Moderate/Sec. kernel-devel-5.15.4-201.fc35.x86_64
FEDORA-2021-c09b851eb0 Moderate/Sec. kernel-modules-5.15.4-201.fc35.x86_64

So what’s going on here? Surely dnf list --security --upgrades should show the same 4 kernel package upgrades as dnf updateinfo list --security does?

I’m sure I’m just missing something here but this is more concerning since I use dnf-automatic to install security upgrades and it seems like it might be missing some.

I think I’ve worked this out and, as suspected, it was a simpler issue than it first seemed.

Looking at the security notice that was showing (FEDORA-2021-c09b851eb0), I noticed that it applies just to kernel 5.15.4. dnf didn’t attempt to install the 5.15.4 packages because I already had some newer versions of those packages (for 5.15.6) installed but hadn’t rebooted yet :man_facepalming:

I must have installed 5.15.6 manually and not via a --security upgrade since it doesn’t have a security advisory attached and seems to just be a bugfix upgrade. Similarly, the 5.15.8 package is in the F35 repositories now but a dnf --security transaction doesn’t install it since that one is not marked as a security upgrade either.

Hopefully this helps someone else if they’re wondering about the same issue. Reboot first and try your dnf --security commands again!

3 Likes