On 08/09/2021 15.08, cagsm wrote:
On Wed, Sep 8, 2021 at 2:40 PM Andrei Borzenkov <arvidjaar@gmail.com> wrote:
Yes, it is of course possible.
I just tested. normal 15.2 zypper dup via releasever variable --download-in-advance ina screen terminal application.
it only uses the 4 default repos from 15.2 bumped up to 15.3 string / url.
This has to be wrong, the URLs specific to 15.3 should be added manually before starting. But I have no idea which they are. The upgrade wiki page should tell - does it?
when i try to add repo those backport and sle15updates with their full 15.3 path names from a yast (specify url) there are conflicts being shown by zypper dup, then i canceled because I couldnt decide what to answer.
Yes, that is an unfortunate consequence of missing them on GA. Those repositories are added by the openSUSE-release updated package. Better would be zypper service URL that automatically provides repositories. But that is something openSUSE release managers need to decide and push.
when I look into what comes from via those repos, I notice such stuff as openssh, openssl and many more. meaning: an updated 15.2 to 15.3, initial reboot, such a system is highly attackable and insecure
seriously am I the one getting the concept of a zypper dup wrong here? when I only use the default 15.2 repos and zypper dup with the releasever variable it upgrades like 3000+ packages here. and downgrades many packages.
read: 15.3 release timestamp some months ago, but the 15.2 being current from today. giving me a lot of downgrades of packages which only come from 15.3 backports and 15.3/sle15updates area with todays current level of security fixes.
so I am downgrading and jeopardizing the perfectly fine 15.2 to a security desaster 15.3 intermediate, am I not?
I don't know about security, but functionality for sure.
Basically you claim that openSUSE Leap 15.3 GA is highly attackable and insecure. Do you have any proof for such a claim? If this is true it should have never been released in the first place.
what I figured here, the zypper dup finished, and still inside the screen terminal muxing window, i can then zypper lr at the very end, showing me then the already added and usable backports and sle15updates repo.
I can still before rebooting, zypper dup once more, giving me another round of 912packages/updates right as I am writing these lines with a helluva lot of updates.
Could you please paste here the output of zypper lr --details so that we can know which repos should be finally active?
I guess this is the actual way every user should upgrade/dup their system if possible.
zypper dup just once leaves the machine with possibly 912 (here) unpatched unhandled missing packages and security fixes.
wrong? ty.
Yep. -- Cheers / Saludos, Carlos E. R. (from oS Leap 15.2 x86_64 (Minas Tirith))