Doesn't e-mail when updates cannot be installed

[brianjmurrell]

I have dnf-automatic configured to send e-mail reports. This works very well when dnf-automatic is able to apply updates.

However when it cannot, due to perhaps package conflict or even just needing to accept a new repository key, dnf-automatic is completely silent. No e-mail, no nothing.

So unless I am auditing each morning all of the systems I do get an e-mail about, it's very easy to miss that a system is not being automatically updated, for days or even weeks.

Clearly this is a security issue as one of the primary pros of automatically updating is keeping one's system up-to-date with security updates.

[jan-kolarik]

There is a related Bugzilla ticket: https://bugzilla.redhat.com/show_bug.cgi?id=2170093.

[brianjmurrell]

@jan-kolarik Thanks for the pointer. I went to add this ticket to RHBZ#2170093 as a upstream ticket but that functionality seems to have been removed from RH's BZ. :-(

[jan-kolarik]

I started working on the related BZ and realized this is a different issue. I was looking into the current implementation of dnf-automatic notifications and they are not implemented in case of transaction failure. So basically, this seems to be a request for a new feature and not a bug. I will discuss this on our next planning meeting and let you know about our further plans.

[brianjmurrell]

I guess that's a matter of semantics/perspective. That it fails silently is a bug at some level, whether that is in implementation or design. IMHO.

[jan-kolarik]

The silent fail described in the given Bugzilla is definitely a bug, while I am not sure about the reporting emitters functionality. Looking into the man page though, it is stated there as "reporting the results", so it seems not only the successful cases, but I need to clarify that with the team.

[jan-kolarik]

It seems that sending notifications on failure was not implemented or intended yet. While our current focus is primarily on DNF5 development, adding this feature to the system is not our top priority at the moment. However, we have added it to our backlog and will consider it in the future.

[brianjmurrell]

Really? Even though this is quite arguably a system security/vulnerability issue?

Systems that silently fail the automatic DNF update fall further and further into becoming a security nightmare as those systems continue to fail to install potentially very important security updates.

[derickdiaz]

@brianjmurrell I attempted to work on this on my own time: #2005

[jan-kolarik]

@brianjmurrell I attempted to work on this on my own time: #2005

I'd be happy to do the review.

[jan-kolarik]

Fixed by #2005.

[celesteking]

sending notifications on failure was not implemented or intended yet

Are you kidding me? So that a vulnerable system would be sitting there without any reporting, ripe for exploitation?