FAQ: Updates

 

How do I get updates?

SL publishes updates via two yum repositories, ‘fastbugs’ and ‘security’.

With these repositories enabled, updated packages will be installed automatically via an automated or manual yum update.

What are the ‘security’ and ‘fastbugs’ repos?

The ‘security’ yum repo contains the packages necessary to mitigate any resolved security issues. Some ‘non-security’ packages may be published into the security repo if they are required for dependency resolution. This repo also contains the latest ‘tzdata’ and ‘selinux-policy’ to ensure fixes to these package help protect your system security. This repo is enabled by default.

The ‘fastbugs’ repo contains package updates which are not security-related (bugfixes and enhancements).

Why are security updates on by default?

Scientific Linux is installed by people of all backgrounds and skill sets. Our primary audience is the scientific community. Most scientists are too busy doing research to also take systems administration classes. Scientific Linux ships with security updates on by default so that the systems installed for short term research by people who don’t want to maintain them don’t become a hazard to the rest of the internet community.

Professional systems admins who want to schedule their updates can figure out how to disable the automatic updates.  The reverse is not always true.

How quickly are updates released?

We aim to have them out within a few days after receiving them from upstream. Pushing updates too quickly breaks things more often than it fixes them. Our official goal is to publish updates as fast as we can safely do so.

What about updates to older releases?

We will continue to publish security packages for older releases for the lifecycle of the major version.

We do not backport patches.

So, if you are SL 6.3 you will continue to receive security updates in the ‘security’ repo for the life cycle of SL 6. These updates are simply the newest release of the associated package. We encourage you to update to the ‘x‘ release to receive the various bugfixes available in non-security packages as well. We cannot be sure how the updated security packages will behave on an older system.

Unless they are required, older releases do not receive bug fix packages.

[Errno -1] Metadata file does not match checksum

You’ve got stale metadata. They repo was updated between when you cached the metadata info and when you downloaded it. Generally this means a package (or more) was added to the repo recently. Run this command and you should be all set:

yum clean expire-cache

Why do you consider tzdata/selinux security packages?

With the tzdata updates, there is the possibility of a replay attack or, for our Kerberos users, a denial of service. Both of these possibilities are due to the change in the system clock. The possibility of meaningful exploit is remote. However, if your Kerberos system is running Scientific Linux you may find yourself unable to get tickets if the clock is sufficiently different. This accidental denial of service may result in unplanned outages and significant headaches for you – the systems admin. So, we publish the updated tzdata files where you can get them automatically.

We believe you should leave selinux in Enforcing mode. To that end, we are trying to minimize any selinux bugs that you may encounter. To help enhance the security of your systems, we publish selinux updates as though they were security updates.