Upgrade only necessary packages, dnf upgrade --security

Hello Folks,
I tried upgrading Fedora 41 WS with particular packages to upgrade only the core system and security related packages, using the command

sudo dnf upgrade --refresh alternatives authselect audit appstream crypt-setup crypto-policies dmidecode dnf firewalld fwupd gnutls gupnp gnupg gnome-shell gnome-terminal glibc libselinux linux-firmware nautilus NetworkManager PackageKit polkit pam passt rpm systemd selinux-policy upower zram-generator 

then a few intel specific packages

sudo dnf upgrade --refresh intel-audio-firmware intel-gpu-firmware intel-gmm-lib intel-vpl-gpu-rt libva-intel-media-driver

then the kernel

sudo dnf upgrade kernel* --refresh

then sudo dnf reboot.

This leads a few things inoperative, e.g. gnome-terminal is not openning (automatically crashes without opening the window).

I reinstalled Fedora WS.

and followed the instruction from man dnf upgrade to upgrade the security advisory packages.

sudo dnf upgrade --refresh --security

This works and upgraded a few packages including kernel*

But still i found a few packages not upgraded using dnf check-upgrade e.g. systemd selinux-policy passt librepo libdnf gnupg gupnp fwupd dnf5 crypto-policies audit. these packages were not upgraded. while i think these packages are related to security hardening.

I don’t know how much it is safe and secure to only use

sudo dnf upgrade --security --refresh

please guide with upgrading the base system for fedora and security related packages.

Partially upgraded installations are generally more difficult to test and troubleshoot which makes partial upgrades essentially not recommended.

The lack of a security tag for security updates can happen because package maintainers are regular people who are subject to human error.

With years of experience using Fedora, I advise you to abandon this idea before it leads to even more issues than the normal way of upgrading.

The --security look for packages that are marked as a security update.
It does not select all packages that are security related (whatever that would mean).

I’m not sure why you are seeing failures, but it could be because some of the packages you update expect something else in the system to have been updated.

Why are you avoiding taking all available updates?
It is what we would normally recommend you do.

Reason for selecting specific packages, At this time I am using Fedora 41. newly installed in the Host along with 4 other vms with F41 iso with limited resources like max 2 cpu thread for each vm along with limited ram and storage.

Vm’s for different development specific purposes. Cause sometimes performing some actions leads to the whole os inoperative. This happens as mentioned above different packages have different dependencies or by misleading with the programming logic.

Now the problem is, after sudo dnf upgrade --security dnf says, there is a total 1GB amount of data will downloaded and a total 4gb of diskspace will be used. For me it is 1 X 1 and 4 X 4 excluding with the host. I never use some applications on the host, while i use them in the virtual machines.

I am not sure about the aforementioned dnf needs-restarting if it resolves the dependencies and upgrade them also or it only restart the processes (cause i am new with needs-restarting).

also please let me know if an additional package can help me resolving dependencies while or before upgrading.

Please Consider My Concern

For dnf Please provide an option to upgrade the base and security.

I’m not understanding what cherry picking packages is providing you as a benefit.
How does the limited CPU and storage required limited package upgrades?

Ok, let me explain,

E.g. Packages related to libvirt
As I know these packages are required to run hypervisor specific tasks on the host.

But I dont know what it can benefit inside vms unless the upgradable packages provide security fixes.
While I am not a nested vm user ( they will benefit the user who’s operations are related to nested vm specific )

As I guess why it is recommended, that it is required to have a fully upgraded system inorder to upgrade distribution version due to several dependencies from different packages, to avoid conflictions.

Please feel free to suggest, if my recommendations creating unmaintainable path.

If your goal is to have save disk space then you could uninstall packages that you do mot use, libvirt related in your ecample.

But if you have a package already installed the disk space has already been used. Upgrades will not change that amount of disk by any meaningful amount. But upgrades will provide bug fixes.

Ok, For Sure, After observed the log from dnf carefully and found the same, if a package is already installed, manually selecting the packages does not effect the storage much (a few more memory blocks will be engaged).

@fedora:~$ sudo dnf update libvirt*
Updating and loading repositories:
Repositories loaded.
Transaction Summary:
 Upgrading:         28 packages
 Replacing:         28 package

Total size of inbound packages is 139 MiB. Need to download 139 MiB.
After this operation, 232 KiB extra will be used (install 378 MiB, remove 378 MiB).
Is this ok [y/N]: N
Operation aborted by the user.

Rather removing the packages can optimize the storage. Thanks @barryascott .

This is an Acceptable Solution Method from @steppybug about Pykickstart. I read few parts from the doc and found, this is about Automated Minimal Installation and Maintainance of OS.

In this case this beneficial cause i may run script to install and maintain several vms.

Another Doc i found from #fedora-wiki about Infrastructure/Mirroring/ProxyMirror Infrastructure/Mirroring/ProxyMirror - Fedora Project Wiki

This method can also reduce the network load while upgrading several vm from the host acting as a mirror.

Thanks @steppybug for sharing the information about Pykickstart.