For anyone else who has been having heartburn over trying to get yum to update openssl on Fedora 19 the last two times those updates were critical, know that you’re not alone.
At least I’m with you.
First during the Heartbleed update (openssl-1.0.1e-37.fc19) and now with the latest to address another exploit, I had to manually install the package and its dependencies because yum reported a conflict.
Error: Package: 1:openssl-1.0.1e-37.fc19.1.i686 (installed) Requires: openssl-libs(x86-32) = 1:1.0.1e-37.fc19.1 Removing: 1:openssl-libs-1.0.1e-37.fc19.1.i686 (installed) openssl-libs(x86-32) = 1:1.0.1e-37.fc19.1 Updated By: 1:openssl-libs-1.0.1e-38.fc19.i686 (updates) openssl-libs(x86-32) = 1:1.0.1e-38.fc19 Available: 1:openssl-libs-1.0.1e-4.fc19.i686 (fedora) openssl-libs(x86-32) = 1:1.0.1e-4.fc19 You could try using --skip-broken to work around the problem
I did try a few time-worn techniques to right things before going the manual route (e.g. doing a “yum clean all”), to no avail.
Only by downloading the rpms from an up-to-date repo (found via mirrors.fedoraproject.org) and then invoking “rpm -Uvh” against them was I able to do the update.
In my case this involved grabbing four packages over HTTP:
openssl-1.0.1e-38.fc19.i686.rpm openssl-1.0.1e-38.fc19.x86_64.rpm openssl-libs-1.0.1e-38.fc19.i686.rpm openssl-libs-1.0.1e-38.fc19.x86_64.rpm
My attempt to use yumdownloader to retrieve the packages failed as it was unable to find the .i686 version of openssl-1.0.1e-38 (which is probably why my yum update failed).
This isn’t a knock against yum, by the way. I use it all the time for package management. My opinion is that this is a problem either with the way openssl is being packaged or how it’s being provisioned (although openssl is the only package I’ve had this problem with).
I’m also not addressing the fact that updates for Fedora 19 were only available signficantly after those for Fedora 20. My only comment there would be that if the Fedora Project wants to cease supporting Fedora 19 at the same level as they do Fedora 20 at this point, they’ve got every right to do so — but their users also deserve to know that is what is happening. Of course the Fedora Release Life Cycle is very specific about how long a release will be supported, and Fedora 19 fits well within the bounds set. If Project Management so desires they can change that policy any time they want, but again, they need to tell people they’ve done that.
As an aside, I noted several weeks ago that a security update to the gnutls package for Fedora 19 was also significantly delayed as compared to Fedora 20 (as well as Red Hat Enteprise 6 and CentOS 6).
Right now I’m holding off upgrading to Fedora 20 until CentOS 7 is released. As I’ve indicated on this blog recently, my current plan is to switch my home servers over to CentOS 7. Now that it’s clear Fedora 21 won’t be out until this October I’m weighing whether to upgrade my workstations to Fedora 20 or to move them to CentOS 7 as well.