How to install only security and bugfixes updates with DNF

Photo by Scott Webb on Unsplash

This article will explore how to filter the updates available to your Fedora Linux system by type. This way you can choose to, for example, only install security or bug fixes updates. This article will demo running the dnf commands inside toolbox instead of using a real Fedora Linux install.

You might also want to read Use dnf updateinfo to read update changelogs before reading this article.

Introduction

If you have been managing system updates for Fedora Linux or any other GNU/Linux distro, you might have noticed how, when you run a system update (with dnf update, in the case of Fedora Workstation), you usually are not installing only security updates.

Due to how package management in a GNU/Linux distro works, generally (with the exception of software running in a container, under Flatpak, or similar technologies) you are updating every single package regardless of whether it’s a “system” software or an “app”.

DNF divides updates in three types: “security”, “bugfix” and “enhancement”. And, as you will see, DNF allows filtering which types you want to operate on.

But, why would you want to update only a subset of packages?

Well, this might depend on how you personally choose to deal with system updates. If you are not comfortable at the moment with updating everything, then restricting the current update to only security updates might be a good choice. You could also install bug fix updates as well and only install enhancements and other types of updates during a future opportunity.

How to filter security and bug fix updates

Start by creating a Fedora Linux 34 toolbox:

toolbox create --distro fedora --release f34 updatefilter-demo

Then enter that toolbox:

toolbox enter updatefilter-demo

From now on commands can be run on a real Fedora Linux install.

First, run dnf check-update to see the unfiltered list of packages:

$ dnf check-update
audit-libs.x86_64                        3.0.5-1.fc34                   updates
avahi.x86_64                             0.8-14.fc34                    updates
avahi-libs.x86_64                        0.8-14.fc34                    updates
...
vim-minimal.x86_64                       2:8.2.3318-1.fc34              updates
xkeyboard-config.noarch                  2.33-1.fc34                    updates
yum.noarch                               4.8.0-1.fc34                   updates

DNF supports passing the types of updates to operate on as parameter: ‐‐security for security updates, ‐‐bugfix for bug fix updates and ‐‐enhancement for enhancement updates. Those work on commands such as dnf check-update, dnf update and dnf updateinfo.

For example, this is how you filter the list of available updates by security updates only:

$ dnf check-update --security
avahi.x86_64                               0.8-14.fc34                  updates
avahi-libs.x86_64                          0.8-14.fc34                  updates
curl.x86_64                                7.76.1-7.fc34                updates
...
libgcrypt.x86_64                           1.9.3-3.fc34                 updates
nettle.x86_64                              3.7.3-1.fc34                 updates
perl-Encode.x86_64                         4:3.12-460.fc34              updates

And now same thing but by bug fix updates only:

$ dnf check-update --bugfix
audit-libs.x86_64                      3.0.5-1.fc34                     updates
ca-certificates.noarch                 2021.2.50-1.0.fc34               updates
coreutils.x86_64                       8.32-30.fc34                     updates
...
systemd-pam.x86_64                     248.7-1.fc34                     updates
systemd-rpm-macros.noarch              248.7-1.fc34                     updates
yum.noarch                             4.8.0-1.fc34                     updates

They can even be combined, so you can use two or more of them at the same time. For example, you can filter the list to show both security and bug fix updates:

$ dnf check-update --security --bugfix
audit-libs.x86_64                      3.0.5-1.fc34                     updates
avahi.x86_64                           0.8-14.fc34                      updates
avahi-libs.x86_64                      0.8-14.fc34                      updates
...
systemd-pam.x86_64                     248.7-1.fc34                     updates
systemd-rpm-macros.noarch              248.7-1.fc34                     updates
yum.noarch                             4.8.0-1.fc34                     updates

As mentioned, dnf updateinfo also works with this filtering, so you can filter dnf updateinfo, dnf updateinfo list and dnf updateinfo info. For example, for the list of security updates and their IDs:

$ dnf updateinfo list --security
FEDORA-2021-74ebf2f06f Moderate/Sec.  avahi-0.8-14.fc34.x86_64
FEDORA-2021-74ebf2f06f Moderate/Sec.  avahi-libs-0.8-14.fc34.x86_64
FEDORA-2021-83fdddca0f Moderate/Sec.  curl-7.76.1-7.fc34.x86_64
FEDORA-2021-e14e86e40e Moderate/Sec.  glibc-2.33-20.fc34.x86_64
FEDORA-2021-e14e86e40e Moderate/Sec.  glibc-common-2.33-20.fc34.x86_64
FEDORA-2021-e14e86e40e Moderate/Sec.  glibc-minimal-langpack-2.33-20.fc34.x86_64
FEDORA-2021-8b25e4642f Low/Sec.       krb5-libs-1.19.1-14.fc34.x86_64
FEDORA-2021-83fdddca0f Moderate/Sec.  libcurl-7.76.1-7.fc34.x86_64
FEDORA-2021-31fdc84207 Moderate/Sec.  libgcrypt-1.9.3-3.fc34.x86_64
FEDORA-2021-d1fc0b9d32 Moderate/Sec.  nettle-3.7.3-1.fc34.x86_64
FEDORA-2021-92e07de1dd Important/Sec. perl-Encode-4:3.12-460.fc34.x86_64

If desired, you can install only security updates:

# dnf update --security
================================================================================
 Package                     Arch        Version             Repository    Size
================================================================================
Upgrading:
 avahi                       x86_64      0.8-14.fc34         updates      289 k
 avahi-libs                  x86_64      0.8-14.fc34         updates       68 k
 curl                        x86_64      7.76.1-7.fc34       updates      297 k
...
 perl-Encode                 x86_64      4:3.12-460.fc34     updates      1.7 M
Installing weak dependencies:
 glibc-langpack-en           x86_64      2.33-20.fc34        updates      563 k

Transaction Summary
================================================================================
Install   1 Package
Upgrade  11 Packages

Total download size: 9.7 M
Is this ok [y/N]: 

Or even to install both security and bug fix updates while ignoring enhancement updates:

# dnf update --security --bugfix
================================================================================
 Package                      Arch     Version                  Repo       Size
================================================================================
Upgrading:
 audit-libs                   x86_64   3.0.5-1.fc34             updates   116 k
 avahi                        x86_64   0.8-14.fc34              updates   289 k
 avahi-libs                   x86_64   0.8-14.fc34              updates    68 k
...
 rpm-plugin-systemd-inhibit   x86_64   4.16.1.3-1.fc34          fedora     23 k
 shared-mime-info             x86_64   2.1-2.fc34               fedora    374 k
 sqlite                       x86_64   3.34.1-2.fc34            fedora    755 k

Transaction Summary
================================================================================
Install  11 Packages
Upgrade  45 Packages

Total download size: 32 M
Is this ok [y/N]: 

Install only specific updates

You may also choose to only install the updates with a specific ID, such as FEDORA-2021-74ebf2f06f for avahi by using –advisory and specifying the ID:

# dnf update --advisory=FEDORA-2021-74ebf2f06f
================================================================================
 Package             Architecture    Version             Repository        Size
================================================================================
Upgrading:
 avahi               x86_64          0.8-14.fc34         updates          289 k
 avahi-libs          x86_64          0.8-14.fc34         updates           68 k

Transaction Summary
================================================================================
Upgrade  2 Packages

Total download size: 356 k
Is this ok [y/N]: 

Or even multiple updates, with ‐‐advisories:

# dnf update --advisories=FEDORA-2021-74ebf2f06f,FEDORA-2021-83fdddca0f
================================================================================
 Package            Architecture   Version                Repository       Size
================================================================================
Upgrading:
 avahi              x86_64         0.8-14.fc34            updates         289 k
 avahi-libs         x86_64         0.8-14.fc34            updates          68 k
 curl               x86_64         7.76.1-7.fc34          updates         297 k
 libcurl            x86_64         7.76.1-7.fc34          updates         284 k

Transaction Summary
================================================================================
Upgrade  4 Packages

Total download size: 937 k
Is this ok [y/N]: 

Conclusion

In the end it all comes down to how you personally prefer to manage your updates. But if you need, for whichever reason, to only install security updates, then these filters will surely come in handy!

Using Software

17 Comments

  1. Sanjay

    This is an awesome article. I never knew updates could be applied this way. Thank you

  2. Pascal V Calarco

    Very helpful, thank you!

  3. iMaster7

    Boa Mateus parabéns pela matéria.

  4. hammerhead corvette

    Bravo !

  5. Nate

    Love it. dnf is why I still use Fedora for everything by default.

  6. Leon

    Wow This is very nice

  7. Very useful. Thanks!

  8. Stepan Putilo

    This is incredible! Long live the White Goose!

  9. Rose Peach

    Helpful article. I didn’t know that you could use DNF in this way before.

  10. svsv sarma

    A good article, explaining the piecemeal updates using DNF. Can anyone explain why we should avoid some updates? For me the best option is to use the default DNF update / upgrade, to keep the system uptodate. I really wonder if anyone ever used peacemeal updates regularly, except for live OS.
    thank you.

    • svsv sarma From my experience I’ve avoided a general updates for things like Microsoft Teams. Sometimes getting the latest update is not ideal.

  11. ss

    thank you great info, and very useful.

  12. Paulimer

    Very informative, thanks for the article!
    Is there a way to pair that with dnf-automatic, to have security and bugfixes updates automatically, and the others manually?

  13. Thank you Mateus good article and great info to have.

  14. rtqate

    Is creating a toolbox actually needed? I tried just this, without anything else, and it appeared to do the magic (hope it doesn’t break anything, lol):

    sudo dnf update –security –bugfix

  15. Pstall

    Unfortunately partial updates are dangerous and can break a Fedora system. Here is an example:
    Install Fedora Workstation 34 official iso “Fedora-Workstation-Live-x86_64-34-1.2.iso” published on April 23rd in a VirtualBox virtual machine having EFI enabled. After standard installation and first reboot, disable Location Services, let Automatic Problem Reporting on, create a user.
    1694 packages are installed. “dnf check-update” shows 811 package updates available. “dnf check-update –security” shows 99 updates available. Let’s install them “sudo dnf update –security” and reboot.
    Now “dnf check-update –bugfix” shows 501 updates available. Let’s install them “sudo dnf update –bugfix” and reboot.
    The VM cannot boot anymore. An image is displayed: “:-( Oh no! Something has gone wrong. A problem has occurred and the system can’t recover. Please contact a system administrator”.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions

%d bloggers like this: