Add Support for Updating Only a Single Package#249
Open
emma-hughes-alianza wants to merge 2 commits into
Open
Conversation
In order to reduce exposure to security bugs, it may be desirable not to take all available updates late in the release process when trying to take a fix to a specific CVE, as very new updates are more likely to have unidentified security bugs. This work allows you to take an update only to specified RPMs, meaning that users can update only those packages required in order to address CVEs without creating additional risk late in the release process. This adds a -p --package flag to the rpmoci update command that the user can specify a particular package (or packages with multiple uses of the CLI arg) with. The tool then effectively locks every other package in place before resolving updates so that only that package changes. Where multiple identical version of a package are available from multiple sources it uses the version from the old lockfile to avoid unneeded changes in diffs, even though the result is the same. We also add unit and integration tests to verify behaviour. Note that updating a specific package may require updating others if they impose strict version controls - therefore you may need to provide several -p parameters. Tested by taking months old rpmoci.lock and rpmoci.toml from sas-dbapp and running -p updates on packages that are present and not, and that do and do not have changes.
Adding Support for Updating Only Specific Packages
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In order to reduce exposure to security bugs, it may be desirable not to
take all available updates late in the release process when trying to
take a fix to a specific CVE, as very new updates are more likely to
have unidentified security bugs. This work allows you to take an update
only to specified RPMs, meaning that users can update only those
packages required in order to address CVEs without creating additional
risk late in the release process.
This adds a -p --package flag to the rpmoci update command that the user
can specify a particular package (or packages with multiple uses of the
CLI arg) with. The tool then effectively locks every other package in
place before resolving updates so that only that package changes. Where
multiple identical version of a package are available from multiple
sources it uses the version from the old lockfile to avoid unneeded
changes in diffs, even though the result is the same. We also add unit
and integration tests to verify behaviour.
Note that updating a specific package may require updating others if
they impose strict version controls - therefore you may need to provide
several -p parameters.
Tested by taking months old rpmoci.lock and rpmoci.toml from sas-dbapp
and running -p updates on packages that are present and not, and that do
and do not have changes.