Leap 15.3: Policies/rules for update repositories?
Hello all, Leap 15.3 has 4 update repositories instead of 2 like Leap 15.2 and previous versions: - repo-backports-update (new as of 15.3) - repo-sle-update (new as of 15.3) - repo-update - repo-update-non-oss I roughly understand the purpose of the above repos (see e.g. https://doc.opensuse.org/release-notes/x86_64/openSUSE/Leap/15.3/#installati...). But I'd like to know more about the policies/rules which apply to these repos. Questions that come to mind: - Is the repository really required to get security fixes? - Does the repository contain explicit security fixes? (I.e. are only security fixes applied to existing versions or will new versions from upstream be made available?) - Are version numbers (mostly/somewhat/...) kept stable? - Does the repository provide patches for zypper or complete RPMs only? Is there any document/description that answers these types of questions? I guess for *repo-backports-update* the policy is more or less that you ship what you (can) get from upstream. *repo-sle-update* and *repo-update* seem to contain security fixes and patch definitions (just looked briefly). How about *repo-backports-update*? Previously (e.g. with 15.2) the policy seemed to result in rather stable version numbers, i.e. few updates where minor (or even major) version numbers changed. This seems to be different for 15.3, particularly when looking at backports-update. But that's all guesswork and I couldn't find anything documentation for that. On example package that I stumbled across is --- snip --- leap153:~ # zypper se -s ruby2.5-rubygem-i18n [...] S | Name | Version | Arch | Repository --+---------------------------+-------------------+--------+----------- | ruby2.5-rubygem-i18n | 0.9.1-1.21 | x86_64 | repo-oss | ruby2.5-rubygem-i18n-0_6 | 0.6.11-bp153.1.16 | x86_64 | repo-oss | ruby2.5-rubygem-i18n-1.1 | 1.1.1-bp153.1.16 | x86_64 | repo-oss | ruby2.5-rubygem-i18n-1.8 | 1.8.10-bp153.2.1 | x86_64 | repo-backports-update --- snip --- My current understanding is that I can simply chose from any of the above versions, but none was released because of security reasons. And if so, would there be security updates for e.g. ruby2.5-rubygem-i18n-0_6 or ruby2.5-rubygem-i18n-1.1? And where would they be published? Explanations/insights/hints are much appreciated. Thanks and regards -- Till -- Dipl.-Inform. Till Dörges doerges@pre-sense.de PRESENSE Technologies GmbH Nagelsweg 41, D-20097 HH Geschäftsführer/Managing Directors AG Hamburg, HRB 107844 Till Dörges, Jürgen Sander USt-IdNr.: DE263765024 Besuchen Sie uns gerne auf der digitalen Plattform it-sa 365: https://www.itsa365.de/de-de/companies/p/presense-technologies-gmbh
On Fri, Oct 01, 2021 at 04:07:03PM +0200, Till Dörges wrote:
Hello all,
Leap 15.3 has 4 update repositories instead of 2 like Leap 15.2 and previous versions:
- repo-backports-update (new as of 15.3) - repo-sle-update (new as of 15.3) - repo-update - repo-update-non-oss
I roughly understand the purpose of the above repos (see e.g. https://doc.opensuse.org/release-notes/x86_64/openSUSE/Leap/15.3/#installati...).
But I'd like to know more about the policies/rules which apply to these repos. Questions that come to mind:
- Is the repository really required to get security fixes?
Yes, for all.
- Does the repository contain explicit security fixes? (I.e. are only security fixes applied to existing versions or will new versions from upstream be made available?)
Only security and bugfixes... Usually no version updates.
- Are version numbers (mostly/somewhat/...) kept stable?
Largely. For some packages we do version updates occasionaly, like e.g. chromium and Firefox ESR.
- Does the repository provide patches for zypper or complete RPMs only?
patches.
Is there any document/description that answers these types of questions?
I guess for *repo-backports-update* the policy is more or less that you ship what you (can) get from upstream.
No, it is the openSUSE Leap packages that are not in SLE, but made available to both PackageHub for SLE 15-sp3 and for Leap 15.3.
*repo-sle-update* and *repo-update* seem to contain security fixes and patch definitions (just looked briefly).
How about *repo-backports-update*?
Same.
Previously (e.g. with 15.2) the policy seemed to result in rather stable version numbers, i.e. few updates where minor (or even major) version numbers changed.
This seems to be different for 15.3, particularly when looking at backports-update.
The policy is still the same. Leap 15.3 is just pieced together out of 3 different sources instead of 1. (+ nonfree for each) But the update rules for 15.3 are the same as for 15.2.
But that's all guesswork and I couldn't find anything documentation for that.
Perhaps this helps a bit: https://news.opensuse.org/2021/07/19/leap-gains-maintenance-update-improveme...
On example package that I stumbled across is
--- snip --- leap153:~ # zypper se -s ruby2.5-rubygem-i18n [...] S | Name | Version | Arch | Repository --+---------------------------+-------------------+--------+----------- | ruby2.5-rubygem-i18n | 0.9.1-1.21 | x86_64 | repo-oss | ruby2.5-rubygem-i18n-0_6 | 0.6.11-bp153.1.16 | x86_64 | repo-oss | ruby2.5-rubygem-i18n-1.1 | 1.1.1-bp153.1.16 | x86_64 | repo-oss | ruby2.5-rubygem-i18n-1.8 | 1.8.10-bp153.2.1 | x86_64 | repo-backports-update --- snip ---
My current understanding is that I can simply chose from any of the above versions, but none was released because of security reasons.
And if so, would there be security updates for e.g. ruby2.5-rubygem-i18n-0_6 or ruby2.5-rubygem-i18n-1.1? And where would they be published?
These are parallel packages for 4 different i18n rubygem versions. Security updates would be there for either of those 4 (if applicable). Ciao, amrcus
On 02.10.2021 10:11, Marcus Meissner wrote:
- Does the repository provide patches for zypper or complete RPMs only?
patches.
There is probably terminology confusion here. Update repositories provide patch descriptions that tell zypper what RPMs to install. Additionally they always provide complete RPMs which are what actually gets installed when patch "installation" is requested. But patch descriptions are just metadata and are entirely optional (i.e. you can also apply updated RPMs without going via patch indirection). "Patches" just tell zypper to replace existing RPM packages with new RPM packages with higher versions.
On 02/10/2021 09.48, Andrei Borzenkov wrote:
On 02.10.2021 10:11, Marcus Meissner wrote:
- Does the repository provide patches for zypper or complete RPMs only?
patches.
There is probably terminology confusion here. Update repositories provide patch descriptions that tell zypper what RPMs to install. Additionally they always provide complete RPMs which are what actually gets installed when patch "installation" is requested. But patch descriptions are just metadata and are entirely optional (i.e. you can also apply updated RPMs without going via patch indirection).
"Patches" just tell zypper to replace existing RPM packages with new RPM packages with higher versions.
And maybe the OP was thinking of delta rpms vs complete rpms. -- Cheers / Saludos, Carlos E. R. (from oS Leap 15.2 x86_64 (Minas Tirith))
On 02.10.2021 10:11, Marcus Meissner wrote:
On example package that I stumbled across is
--- snip --- leap153:~ # zypper se -s ruby2.5-rubygem-i18n [...] S | Name | Version | Arch | Repository --+---------------------------+-------------------+--------+----------- | ruby2.5-rubygem-i18n | 0.9.1-1.21 | x86_64 | repo-oss | ruby2.5-rubygem-i18n-0_6 | 0.6.11-bp153.1.16 | x86_64 | repo-oss | ruby2.5-rubygem-i18n-1.1 | 1.1.1-bp153.1.16 | x86_64 | repo-oss | ruby2.5-rubygem-i18n-1.8 | 1.8.10-bp153.2.1 | x86_64 | repo-backports-update --- snip ---
My current understanding is that I can simply chose from any of the above versions, but none was released because of security reasons.
And if so, would there be security updates for e.g. ruby2.5-rubygem-i18n-0_6 or ruby2.5-rubygem-i18n-1.1? And where would they be published?
These are parallel packages for 4 different i18n rubygem versions.
Security updates would be there for either of those 4 (if applicable).
ruby2.5-rubygem-i18n-1.8 exists only in backports update repository. If those repositories contain only patches (a.k.a. updates for packages in main repositories) then where is the original package that is being updated? It must come via main OSS repository, right?
Hi Marcus, hi all, thanks for your answer. Am 02.10.21 um 09:11 schrieb Marcus Meissner:
I guess for *repo-backports-update* the policy is more or less that you ship what you (can) get from upstream.
No, it is the openSUSE Leap packages that are not in SLE, but made available to both PackageHub for SLE 15-sp3 and for Leap 15.3.
Sorry. Typo on my side. I meant repo-update-non-oss.
On example package that I stumbled across is
--- snip --- leap153:~ # zypper se -s ruby2.5-rubygem-i18n [...] S | Name | Version | Arch | Repository --+---------------------------+-------------------+--------+----------- | ruby2.5-rubygem-i18n | 0.9.1-1.21 | x86_64 | repo-oss | ruby2.5-rubygem-i18n-0_6 | 0.6.11-bp153.1.16 | x86_64 | repo-oss | ruby2.5-rubygem-i18n-1.1 | 1.1.1-bp153.1.16 | x86_64 | repo-oss | ruby2.5-rubygem-i18n-1.8 | 1.8.10-bp153.2.1 | x86_64 | repo-backports-update --- snip ---
My current understanding is that I can simply chose from any of the above versions, but none was released because of security reasons.
And if so, would there be security updates for e.g. ruby2.5-rubygem-i18n-0_6 or ruby2.5-rubygem-i18n-1.1? And where would they be published?
These are parallel packages for 4 different i18n rubygem versions.
Security updates would be there for either of those 4 (if applicable).
Ack. Looking at the release numbers I'm guessing that 0.6, 1.1 and 1.8 are from backports/PackageHub. But only 1.8 is from repo-backports-update. Does this mean in addition to security updates that new versions of packages can be introduced via repo-backports-update? It also generally seems that Leap 15.3 now offers more packages in multiple versions than previous versions. Is that correct? Thanks and regards -- Till -- Dipl.-Inform. Till Dörges doerges@pre-sense.de Tel. +49 - 40 - 244 2407 - 0 Fax +49 - 40 - 244 2407 - 24 PRESENSE Technologies GmbH Nagelsweg 41, D-20097 HH Geschäftsführer/Managing Directors AG Hamburg, HRB 107844 Till Dörges, Jürgen Sander USt-IdNr.: DE263765024 Besuchen Sie uns gerne auf der digitalen Plattform it-sa 365: https://www.itsa365.de/de-de/companies/p/presense-technologies-gmbh
On Sat, Oct 02, 2021 at 05:42:37PM +0200, Till Dörges wrote:
Hi Marcus, hi all,
thanks for your answer.
Am 02.10.21 um 09:11 schrieb Marcus Meissner:
I guess for *repo-backports-update* the policy is more or less that you ship what you (can) get from upstream.
No, it is the openSUSE Leap packages that are not in SLE, but made available to both PackageHub for SLE 15-sp3 and for Leap 15.3.
Sorry. Typo on my side. I meant repo-update-non-oss.
non-oss large has the non-free packages. obs ls openSUSE:Leap:15.3:NonFree To get the list. Opera and Steam get version updates out of those regulary.
Ack.
Looking at the release numbers I'm guessing that 0.6, 1.1 and 1.8 are from backports/PackageHub.
But only 1.8 is from repo-backports-update. Does this mean in addition to security updates that new versions of packages can be introduced via repo-backports-update?
Please note that "backports" is a project codename, but not the concept of the repository. Backports project is the non-SLE part of Leap 15.3 and packagehub. Its update policy is a bit less strict, so it can take updates via backported patches or by version updates. It is the same strategy we used for all previous Leap versions still.
It also generally seems that Leap 15.3 now offers more packages in multiple versions than previous versions. Is that correct?
By pure chance I would say (eg the rubygem-i18 example), not intentionally. Ciao, Marcus
participants (4)
-
Andrei Borzenkov
-
Carlos E. R.
-
Marcus Meissner
-
Till Dörges