Tumbleweed update repo?!

mleun1 · December 27, 2014, 8:37pm

https://en.opensuse.org/openSUSE:Tumbleweed_installation#Repositories

says one should add

http://download.opensuse.org/update/tumbleweed

but there is no such repo.

Also, there is no update/factory thingy.

So, what the hell one should add for getting updates to tumbleweed?

An unpatched (in tumbleweed) critical ntp bug is no fun.

PLEASE - either create the repo or update the howto.

Thanks.

mleun1 · December 27, 2014, 8:55pm

sorry for creating this thread when

https://forums.opensuse.org/showthread.php/503552-update-tumbleweed-directory-is-not-available

existed, but the brilliant forum search did not show that thread when searching for “update”.

robin_listas · December 28, 2014, 3:38am

On 2014-12-27 20:46, mleun1 wrote:

> PLEASE - either create the repo or update the howto.

We can not do that. We are users like you.

–
Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

wolfi323 · December 28, 2014, 1:40pm

The repo is there. But to access it with a web browser, you’d have to add a ‘/’: http://download.opensuse.org/update/tumbleweed/

That said, it is empty, yes.
Tumbleweed is a rolling distribution. You normally get updates via the standard repo, not via an additional update repo.
This update repo only exists for emergencies when there’s a critical security update and Tumbleweed cannot be published because of failures in the tests.
Most of the time (always, if there are no problems) the update repo will be empty therefore.

wolfi323 · December 28, 2014, 1:52pm

PS: If you think the ntp bug is really critical, write a mail to the Factory mailinglist as I wrote in the other thread, or file a bug report.

The developers/factory maintainers likely will not read your post here.

You can install the latest (fixed) version from here though:
http://download.opensuse.org/repositories/network:/time/openSUSE_Factory/
That’s the devel repo for Factory/Tumbleweed.

wolfi323 · December 29, 2014, 6:19pm

FYI: as of today, the fixed ntp package is in the standard Tumbleweed repo now.

mleun1 · January 2, 2015, 9:52pm

OK, thanks for the explanation how it is supposed to work and why that update repository is empty the most time.

But the point is with the old style tumbleweed maintained by gregkh the updates came via the current (e.g. 13.1 when 13.1 was current) updates (I asked Greg some time ago and he told me so). In case of the ntp bug the patches for OpenSUSE 13.2 came very fast and with the old tumbleweed you would have got them. Now that took quite some time for them to appear. CVSS 7.5 / possible remote execution of code - not good to leave unpatched…

So, it looks to me due to the merge of tumbleweed and factory the situation for having BOTH an rolling update distro AND having quick security updates became worse.

I’ll look how this is in future and how long security issues remain unfixed in tumbleweed and maybe I’ve to reconsider my distro choice.

wolfi323 · January 2, 2015, 9:58pm

Yes. The old Tumbleweed basically was just an additional update repo for the latest openSUSE release.
You got security updates via the standard update repo for that release.

Now Tumbleweed is a complete distribution itself. So of course it works different.

In case of the ntp bug the patches for OpenSUSE 13.2 came very fast and with the old tumbleweed you would have got them. Now that took quite some time for them to appear. CVSS 7.5 / possible remote execution of code - not good to leave unpatched…

Well, as I told you you could have asked on the Factory mailinglist and/or filed a bug report.
I suppose one of the reasons it took so long might have been the holidays though.

OTOH, ntpd does not run at all on a default installation. If you enable ntp, a cronjob to synchronize the time is run every 15 minutes, but not the daemon.
And even when you enable the daemon it runs in a chroot jail.
So this probably didn’t matter at all for most users.

So, it looks to me due to the merge of tumbleweed and factory the situation for having BOTH an rolling update distro AND having quick security updates became worse.

No. Actually getting updates via Factory/Tumbleweed always was and still is faster than via the update repo.
But as more testing is done now, getting a package out does take longer than before.
And if the tests fail, there’s no way to push through a security update, that’s why that separate (empty) update repo exists.
Whether it will be used, is to be decided on a case-by-case basis of course. And as long as there’s no problem with the openQA tests, there’s absolutely no need at all for that repo.

fleerink · January 10, 2015, 4:18pm

Hello,

Have a look at the following URL:

openSUSE:Tumbleweed installation - openSUSE

I removed my old repositories and added the new Thumbleweed repositories as described under update – Repositories.

Regards, Frans