The libxml2 update specified by CVE-2010-4494 causes a notification that it will break Adobe AIR and TweetDeck on my machine.
How can I blacklist this update so it won’t keep showing up in the Updater applet?
The applet says I should go into Yast and manually apply the update. When I do that and tell it not to apply the update, Yast exits and the Updater applet just tells me the update is still pending. I want to get rid of the update at least temporarily until Adobe fixes the dependency (assuming they ever do).
This is a major problem for me as I clearly don’t intend to uninstall TweetDeck and AIR just for some security patch. Why didn’t openSUSE test this patch for AIR compatibility?
Well, did a bunch more research, discovered that there IS NO way to blacklist a package update because the Yast “Taboo” and “Protect” flags only work within the given Yast session, which apparently is a known total fail from the software specification.
Truly stupid. Apparently it was supposed to be fixed for 11.4, which I haven’t upgraded to yet. Anyone know if it has been fixed in 11.4?
I tried installing the patch anyway based on someone who had a similar problem with the BBC application which apparently worked anyway, but when I tried, I got a list of over 600 other dependencies that wouldn’t go. So much for that idea.
So until Adobe and TweetDeck update their dependency on the previous libxml2 version (and I suppose I should wish myself good luck with that!), I guess the Update Applet is history on my machine. I’ll just do manual updates from Yast, excluding that one - when I remember to do it.
Kinda obviates the point of the Updater Applet, don’t it? In Windows Update, I just check a box saying “don’t show me this again” and it’s done. But no, the KDE rocket scientists never thought of that - or rather, they did, then completely failed to implement it.
Patches accepted. If you are unable to fix the problem, you can pay me to write a patch for you and I’ll submit it. Seriously though, that was uncalled for. I understand being frustrated, but try to remain civil.
On 2011-04-05 09:36, richardstevenhack wrote:
>
> Well, did a bunch more research, discovered that there IS NO way to
> blacklist a package update because the Yast “Taboo” and “Protect” flags
> only work within the given Yast session, which apparently is a known
> total fail from the software specification.
No, taboo is permanent. I have a package tabooed for months, in 11.2.
–
Cheers / Saludos,
Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)
Well, this is what I just did. I went into Yast and protected every package associated with libxml2. Then I started up the Updater Applet which, after some nonsense about a “dummy patch for applet” which I installed, then the applet did a check and told me the libxml2 update was available. I told it to install, entered the root password, it came back with an error, I clicked the “update with Yast” button, went in, got the message that it couldn’t be provided, I selected “Don’t install the patch”, then I right clicked the patch and selected the Taboo option. Accepted, finished.
Guess what? The applet immediately said the update was available.
So, no “Taboo” does NOT work.
So now I’m going to reboot and see what the applet says. If it offers that update again, I’m going to kill it and never use it again until I upgrade to 11.4, which I’ll probably sometime in the next couple weeks.
Decided to go ahead and upgrade to 11.4. Problem solved. Upgrade didn’t go too bad either, just had to reinstall some apps, AIR/TweetDeck among them. Since 11.4 no longer has the KDE Updater applet, I guess I don’t have to worry about it any more!
> Guess what? The applet immediately said the update was available.
>
> So, no “Taboo” does NOT work.
For the applet, no, and I never use it. The applet says there are updates,
so I go to yast to do stuff; I never allow the applet to do anything except
remind me.
–
Cheers / Saludos,
Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)
