Security updates which never install

Hey all,

I’ve got a number of AlmaLinux server installs and, on every one of them for the past few weeks, I’ve had security updates reported but which never install.

Here’s an example machine:

~]$ sudo dnf updateinfo list security all
Last metadata expiration check: 0:00:07 ago on Tue 04 Oct 2022 12:04:43 BST.
ALSA-2019:2512 Important/Sec. libserf-1.3.9-9.module_el8.6.0+2912+eb1cdf5a.x86_64
ALSA-2020:4712 Moderate/Sec.  libserf-1.3.9-9.module_el8.6.0+2912+eb1cdf5a.x86_64
ALSA-2021:0507 Important/Sec. libserf-1.3.9-9.module_el8.6.0+2912+eb1cdf5a.x86_64
ALSA-2022:2234 Important/Sec. libserf-1.3.9-9.module_el8.6.0+2912+eb1cdf5a.x86_64
ALSA-2022:1759 Moderate/Sec.  qemu-guest-agent-17:6.2.0-11.el9_0.3.x86_64
ALSA-2019:2512 Important/Sec. utf8proc-2.1.1-5.module_el8.6.0+2912+eb1cdf5a.x86_64
ALSA-2020:4712 Moderate/Sec.  utf8proc-2.1.1-5.module_el8.6.0+2912+eb1cdf5a.x86_64
ALSA-2021:0507 Important/Sec. utf8proc-2.1.1-5.module_el8.6.0+2912+eb1cdf5a.x86_64
ALSA-2022:2234 Important/Sec. utf8proc-2.1.1-5.module_el8.6.0+2912+eb1cdf5a.x86_64

Choosing to install only security updates (or all updates) result in the available updates never installing:

~]$ sudo dnf update --security
Last metadata expiration check: 0:08:19 ago on Tue 04 Oct 2022 12:04:43 BST.
Dependencies resolved.
Nothing to do.

The packages in question are installed and would appear (versioning-wise) to need updating:

~]$ sudo dnf list installed | grep 'libserf'
libserf.x86_64                              1.3.9-9.module_el8.6.0+2897+d2f1747f         @appstream
~]$ sudo dnf list installed | grep 'utf8proc'
utf8proc.x86_64                             2.1.1-5.module_el8.6.0+2897+d2f1747f         @appstream

Any pointers on this? Should I uninstall and reinstall the packages?

Thanks in advance!


CentOS repos never had any security metadata. Hence I’m used to yum update (i.e. sudo dnf up). With no filter on by any tags should give all available updates.

That said, I do get a list with updateinfoeven though plain upoffers nothing and versions do match.

I think I saw discussion about some issues in the Alma’s errata system. I’d guess that is involved in generating the security tags into repo metadata. I have no idea how it functions, but I would not be surprised if tags have timestamps and those now later than when we have installed some packages.

PS. DNF can specify packages with globs. E.g. sudo dnf list \*libserf\* \*utf8\*
See specifying packages from ‘man dnf’.