zypper dup wants to update all packages ?
A zypper dup on my install wants to update all packages (4900). Is that normal ? From what I can tell there is no glibc update with a full distro rebuild...
On Sat, Mar 30, 2024 at 11:08 PM Michael Pujos <pujos.michael@gmail.com> wrote:
A zypper dup on my install wants to update all packages (4900). Is that normal ? From what I can tell there is no glibc update with a full distro rebuild...
Same question, can't noticed something on the snapshot email.
Am 30.03.24 um 22:07 schrieb Michael Pujos:
A zypper dup on my install wants to update all packages (4900). Is that normal ? From what I can tell there is no glibc update with a full distro rebuild...
I am also seeing this for TW20240329, maybe a rebuild of the infrastructure due to the xz-backdoor issue (CVE-2024-3094). Regards, Frank
Hi, On 30/03/2024 22:15, Frank Krüger via openSUSE Factory wrote:
Am 30.03.24 um 22:07 schrieb Michael Pujos:
A zypper dup on my install wants to update all packages (4900). Is that normal ? From what I can tell there is no glibc update with a full distro rebuild...
I am also seeing this for TW20240329, maybe a rebuild of the infrastructure due to the xz-backdoor issue (CVE-2024-3094).
Yes, as mentioned in an earlier mail in this list "Tumbleweed - Review of the week 2024/13", we bootstrapped the base (ring0) on snapshot 20240328 and snapshot 20240329 contains a full rebuild of Tumbleweed. We also took advantage of this rebuild to remove all the Python3.9 modules. So don't be surprised by upgrades of thousands of packages, just upgrade and very importantly, reboot your system. Ana
Is this a case where, if we wait for a couple of weeks, the number of package changes will only be say "4500"??? TW just did a few thousand not too long ago, maybe a couple weeks in a row . . . time and electricity get spent in these total repackage efforts . . . . : - 0
Op zondag 31 maart 2024 01:58:20 CEST schreef Fritz Hudnut:
Is this a case where, if we wait for a couple of weeks, the number of package changes will only be say "4500"???
TW just did a few thousand not too long ago, maybe a couple weeks in a row . . . time and electricity get spent in these total repackage efforts . . . . : - 0 The answer is in this ML:
"For some regions, there is a long weekend ahead – so expect no / few snapshots until early next week. For snapshot 0328, Ring0 has been completely bootstrapped (as the attack vectors for xz were not fully known, we went the safest route) and for 0329 all of Tumbleweed rebuilt against that new base; Ezpect that snapshot to appear ‘large’ (even though many packages will not be different). " -- Gertjan Lettink a.k.a. Knurpht openSUSE Board openSUSE Forums Team
On 03-30-2024 08:06PM, Knurpht-openSUSE wrote:
Op zondag 31 maart 2024 01:58:20 CEST schreef Fritz Hudnut:
Is this a case where, if we wait for a couple of weeks, the number of package changes will only be say "4500"???
TW just did a few thousand not too long ago, maybe a couple weeks in a row . . . time and electricity get spent in these total repackage efforts . . . . : - 0 The answer is in this ML:
"For some regions, there is a long weekend ahead – so expect no / few snapshots until early next week. For snapshot 0328, Ring0 has been completely bootstrapped (as the attack vectors for xz were not fully known, we went the safest route) and for 0329 all of Tumbleweed rebuilt against that new base; Ezpect that snapshot to appear ‘large’ (even though many packages will not be different). "
Can you suggest how for me to better understand about "Ring0 has been completely bootstrapped"? I ask this because you may know some SUSE or openSUSE webpages related to this. I am not an advanced user by any means.
On Sat, Mar 30, 2024, 9:19 PM -pj via openSUSE Factory < factory@lists.opensuse.org> wrote:
On 03-30-2024 08:06PM, Knurpht-openSUSE wrote:
Op zondag 31 maart 2024 01:58:20 CEST schreef Fritz Hudnut:
Is this a case where, if we wait for a couple of weeks, the number of package changes will only be say "4500"???
TW just did a few thousand not too long ago, maybe a couple weeks in a row . . . time and electricity get spent in these total repackage efforts . . . . : - 0 The answer is in this ML:
"For some regions, there is a long weekend ahead – so expect no / few snapshots until early next week. For snapshot 0328, Ring0 has been completely bootstrapped (as the attack vectors for xz were not fully known, we went the safest route) and for 0329 all of Tumbleweed rebuilt against that new base; Ezpect that snapshot to appear ‘large’ (even though many packages will not be different). "
Can you suggest how for me to better understand about "Ring0 has been completely bootstrapped"? I ask this because you may know some SUSE or openSUSE webpages related to this. I am not an advanced user by any means.
I am not an insider, but... Bootstrapping usually means to build everything from source. It can also mean to start "clean" or from "nothing". Clean and nothing would depend on the context. Ring 0 is, I assume, is a set of critical/basic software required to build the distribution and possibly installation media. I am aware of this list: https://build.opensuse.org/project/show/openSUSE:Factory:Rings:0-Bootstrap -- Tony
On Sat 2024-03-30, -pj via openSUSE Factory wrote:
For snapshot 0328, Ring0 has been completely bootstrapped (as the attack vectors for xz were not fully known, we went the safest route) and for 0329 all of Tumbleweed rebuilt against that new base Can you suggest how for me to better understand about "Ring0 has been completely bootstrapped"? I ask this because you may know some SUSE or openSUSE webpages related to this. I am not an advanced user by any means.
Two things have happened: 1. The core of openSUSE Tumbleweed (= Ring 0) has been rebuilt from scratch. This is the base that builds everything else. Snapshot 0328. 2. Based on that everything else has been rebuilt. Snapshot 0329. In other words, openSUSE Tumbleweed has been completely rebuilt from sources - every single bit. This is in response to the XZ security issue: https://news.opensuse.org/2024/03/29/xz-backdoor/ And when you run "zypper dup", as every Tumbleweed user should, every single package should be replaced. This is not business as usual, rather to the contrary. Gerald
On Sat Mar 30, 2024 at 10:07 PM CET, Michael Pujos wrote:
A zypper dup on my install wants to update all packages (4900). Is that normal ? From what I can tell there is no glibc update with a full distro rebuild...
xz update Matěj -- http://matej.ceplovi.cz/blog/, @mcepl@floss.social GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8 Therefore, faithful Christian, seek truth, hear truth, learn truth, love truth, speak truth, hold truth, defend truth until death: because truth will free you from sin, from devil, from the death of soul and finally from the death eternal, which is a separation from God’s mercy. -- Master John Hus, Explanation of Credo, 1412
participants (10)
-
-pj -
Ana Guerrero Lopez -
Frank Krüger -
Fritz Hudnut -
Gerald Pfeifer -
Knurpht-openSUSE -
Matěj Cepl -
Michael Pujos -
Stratos Zolotas -
Tony Walker