Security Concern

I am using Tumbleweed (Linux 5.13.4-1-default #1 SMP Thu Jul 22 15:55:06 UTC 2021 (91a0cca) x86_64) with Firefox 90.0.2.
Lately the behavior has changed. There are frequent updates, sometimes daily, that are done during a power cycle (example shutdown). Previously, I just did DUP when I had time to allow it to run.
I am concerned the updates are not updates, but some kind of exploit. I have not been asked to provide my password by these power cycle updates.
I have always associated updates requiring a power cycle with Microsoft Windows. Linux has seldom needed a restart to install updates until very recently.
I apologize for the general nature of this posting. If I knew what I was doing, I could provide more information. Everyone has security concerns these days.
Thank you.
J Whit

Your system if only running kernel 5.13.4 is out of date…

cat /etc/os-release 

NAME="openSUSE Tumbleweed"
# VERSION="20210810"
ID_LIKE="opensuse suse"

uname -a

Linux grover 5.13.8-1-default #1 SMP Thu Aug 5 08:56:22 UTC 2021 (967c6a8) x86_64 x86_64 x86_64 GNU/Linux

Not been using tumbleweed-cli per chance?

Are you using the standard repositories?

zypper lr -dE

cat /etc/os-release
NAME=“openSUSE Tumbleweed”


ID_LIKE=“opensuse suse”

Yes I use the Tumbleweed - cli for upgrades. It has never been clear to me how often to run DUP. I do not do it every day, or even every week. Development may proceed faster than I thought.
The updates I am concerned about, just pop up, “Shutdown and install software” when I do a routine shutdown of my PC. They leave no option to bypass them. Then Linux runs the usual shutdown tasks, a black and white progress bar appears, and animates across the screen, and finally a power off. It is never clear where the software comes from. Could be the OS, or Gnome, or an App like VLC. Perhaps there is a log that would tell me what exactly was installed?
I will update to the latest and see what happens then.

Then you need to use tumbleweed-cli command to move to a new release, zypper dup will not work…

Never seen that here, wonder if it packagekit and friends fighting with tumbleweed-cli

There is a web site for tumbleweed-cli to show they status (according to them) of the release (out of date)… see

See here on how to update your system:

Consider disabling and moving to good old zypper -vvv dup?

I must correct. I thought you were asking if I used the command line to update. From reading:, I now understand you were talking about something I did not know about. Tumbleweed-cli, changes the repository URLs in libzypp, and adds some other convenient command line operations.This is very good information that I had not seen. Other earlier posts just said to use zypper ref and zypper dup, There was no mention of tumbleweed switch. This will make things much easier and more compliant.

It will be interesting to see if I still get the self installing updates. In Linux, I never expect updates to just install on their own, without a password, without using Gnome software app., without using yast. Just a pop-up screen that includes an animated progress bar, and the words; installing update. This all happening during a shutdown, which is itself very suspect, because it could evade OS, protections. I was wondering if the Devs had picked up some bad habits from Microsoft, or if there had been a fundamental change in the way the kernel was updated. If it happens again, I will throw my hard drive in the incinerator, and do a clean install on a new drive. Buying a new drive is much cheaper than the problems an exploit could cause.
I have a professionally managed Gateway-Firewall on the network, and it is astounding that it rejects thousands of connections a day, many from world countries where hackers are not necessarily operating as anarchists, but as employees.

I appreciate the prompt expert assistance you have provided.
Thank you,


tumbleweed status

latest : 20210810
target : 20210810
installed: 20210810

Get an SSD or NVME :wink: Looks good now :slight_smile:

It’s likely packagekit services in the background…

My guess is that this is a GNOME feature; I can find this post on a Fedora forum that ironically is a concerned user trying to re-enable updates on-shutdown. Replies there link to Issue 1253 on the GNOME Gitlab’s issues system which ends with:

So if you could check if the screenshot in the Fedora post is the same dialog you are/were seeing on shutdown, that may (somewhat) confirm that what you were seeing was a GNOME feature. That it does not ask for a password may the result of polkit, which is (I think) what allows GNOME’s Palimpsest Disk Utility to run without asking for elevation via gksudo or a similar sort of prompt.

A bit of a tangent, but based on how the command line shutdown command functions, it is a bit strange that shutting down via the GUI usually does not require a password either, though that definitely predates polkit.

One additional question, you mention using zypper’s dup command to update previously; I thought dup is only used on Leap to update between releases. Isn’t Tumbleweed a rolling release, and would therefore only need zypper up and zypper patch?

Tumbleweed requires dup not up. If you use up you will break something:’(

Up is only on Leap. Every update on Tumbleweed is a distribution upgrade :wink:

As said in the documentation : always use "zypper dup --no- allow-vendor-change’ " to update tumbleweed following best practice.

see :

“zypper up” will only update. It normally won’t remove a package that is no longer in the distribution (no longer in any repo).

Most of the time, “zypper dup” is similar. But occasionally there’s a major change to a software package that needs to remove some older packages to install new packages with different names. In that case, only “zypper dup” will work.


no-allow-vendor-change is not strictly need since that is now the default. But always dup not up on Tumbleweed

I looked at the Fedora post screen capture. I did not have the same experience. The Fedora instance clearly allows a decision to abort (Abbrechen). I had no opportunity to intervene. I got a fairly blank screen that said “Installing Software” and the other defining feature was the animated progress bar, running across the center of the screen. I should have used my camera to get a photo. A screen capture was not possible. It did not however look like a standard terminal screen. It was more “graphical” than a basic terminal text screen.

There may be a log of what was installed, but I am not sure where to look.

Just a few days, but I have not had a repeat of the strange behavior since I followed Malcolm’s advice. (installed 20210810 by tumbleweed-cli)

Back to my original question. The progress bar has returned. Either many have seen it, or I need to throw my hard drive in the burn pile.
I update regularly with tumbleweed-cli.
Any guess why my O.S. is volunteering to install software for me, at the more vulnerable time before the O.S. loads?
Thank You!
(link to a photo of the screen)

That’s part of plymouth startup/shutdown and I guess packagekit, I have neither present.

I sometimes experiment with other distros. I have never seen Plymouth use that screen, but of course, it is up to the author who complied the distribution.
I think it is illogical, since it allows “updates” to be inserted without any kind of authorization. That is very risky in my opinion. Could be just exceptional paranoia,
but considering I live in the USA, where everyone thinks your phone, and computers, belong to them (not you) please forgive me.
If the Dev.s read this, consider removing that code.

Thank you, MalcomLewis