Zypper dup throws an Error & fails to complete system update

English Applications
1

Hi! Good morning or good evening wherever you are :slight_smile:

So just to clarify, I’m using Leap 16 / 6.12.0-160000.9-default - I’ve updated the system multiple times without issue, however, recently I did pushed for a flatpak update first and then I pushed for a whole system update i.e sudo zypper dup and it threw up multiple errors and it simply doesn’t complete install of updates as you’ll see in the screenshot provided below.

I’m not going to go into it too much here but one of the main reason I pushed for a flatpak update is so I can use the latest version of Firefox and VLC, the version that comes preinstalled in Leap 16 doesn’t update to the latest versions and in my opinion both of them even after multiple systems updates have issues, hence I have 2 versions of each application installed which is confusing but not a major problem.

I’ve got a feeling @hui will know what’s going on because I’ve seen two similar issues but I don’t know how exactly to rectify the problem. Thanks in advance.

Screenshot_20260301_192702
Screenshot_20260301_1927021058×531 74.6 KB

Screenshot_20260301_185144
Screenshot_20260301_1851441057×292 98.2 KB

@localhost:~> zypper lr -d
#  | Alias                                    | Name                                                       | Enabled | GPG Check | Refresh | Keep | Priority | Type   | URI                                                                                                         | Service
---+------------------------------------------+------------------------------------------------------------+---------+-----------+---------+------+----------+--------+-------------------------------------------------------------------------------------------------------------+---------
 1 | Leap                                     | Leap 16.0                                                  | No      | ----      | ----    | -    |   99     | rpm-md | hd:/install?device=/dev/disk/by-id/usb-Generic_Flash_Disk_F0FED9AC-0:0-part2                                | 
 2 | I removed this                           |                                                            | Yes     | (r ) Yes  | Yes     | -    |   99     | rpm-md | 
 3 | brave-browser                            | Brave Browser                                              | Yes     | (r ) Yes  | Yes     | -    |   99     | rpm-md | https://brave-browser-rpm-release.s3.brave.com/x86_64                                                       | 
 4 | home_alex_sh_gsmartcontrol_stable_latest | GSmartControl - Latest Stable Branch (openSUSE_Tumbleweed) | Yes     | (r ) Yes  | No      | -    |   99     | rpm-md | https://download.opensuse.org/repositories/home:/alex_sh:/gsmartcontrol:/stable_latest/openSUSE_Tumbleweed/ | 
 5 | home_alois_leap160                       | Clean Leap 16.0 project (16.0)                             | Yes     | (r ) Yes  | No      | -    |   99     | rpm-md | https://download.opensuse.org/repositories/home:/alois:/leap160/16.0/                                       | 
 6 | home_ecsos_mozilla                       | home:ecsos:mozilla (16.0)                                  | Yes     | (r ) Yes  | No      | -    |   99     | rpm-md | https://download.opensuse.org/repositories/home:/ecsos:/mozilla/16.0/                                       | 
 7 | home_nuklly                              | Home Project of xz (16.0)                                  | Yes     | (r ) Yes  | No      | -    |   99     | rpm-md | https://download.opensuse.org/repositories/home:/nuklly/16.0/                                               | 
 8 | home_tarcjf                              | home:tarcjf (16.0)                                         | Yes     | (r ) Yes  | No      | -    |   99     | rpm-md | https://download.opensuse.org/repositories/home:/tarcjf/16.0/                                               | 
 9 | openSUSE:repo-non-oss                    | repo-non-oss (16.0)                                        | No      | ----      | ----    | -    |   99     | N/A    | http://cdn.opensuse.org/distribution/leap/16.0/repo/non-oss/x86_64                                          | openSUSE
10 | openSUSE:repo-non-oss-debug              | repo-non-oss-debug (16.0)                                  | No      | ----      | ----    | -    |   99     | N/A    | http://cdn.opensuse.org/debug/distribution/leap/16.0/repo/non-oss/x86_64                                    | openSUSE
11 | openSUSE:repo-openh264                   | repo-openh264 (16.0)                                       | Yes     | (r ) Yes  | Yes     | -    |   99     | rpm-md | http://codecs.opensuse.org/openh264/openSUSE_Leap_16                                                        | openSUSE
12 | openSUSE:repo-oss                        | repo-oss (16.0)                                            | Yes     | (r ) Yes  | Yes     | -    |   99     | rpm-md | http://cdn.opensuse.org/distribution/leap/16.0/repo/oss/x86_64                                              | openSUSE
13 | openSUSE:repo-oss-debug                  | repo-oss-debug (16.0)                                      | No      | ----      | ----    | -    |   99     | N/A    | http://cdn.opensuse.org/debug/distribution/leap/16.0/repo/oss/x86_64                                        | openSUSE
14 | openSUSE:repo-oss-source                 | repo-oss-source (16.0)                                     | No      | ----      | ----    | -    |   99     | N/A    | http://cdn.opensuse.org/source/distribution/leap/16.0/repo/oss                                              | openSUSE
15 | security                                 | Security tools (16.0)                                      | Yes     | (r ) Yes  | No      | -    |   99     | rpm-md | https://download.opensuse.org/repositories/security/16.0/
2

You hit several issues:

  1. don’t perform zypper dup on Leap. Only zypper up. Else packages from any enabled repo gets installed with the highest version
  2. several repos are wrongly added. They miss the “refresh” flag, thus the retrieval of packages fail with “404” error. Add the refresh flag.
  3. Several developement and home repos added
3

Hi, thanks for your response. So I did sudo zypper refresh and sudo zypper up and it worked :slight_smile:

I just wanted to ask what did you mean by your last comment 3. ?

4

Repositories 4 to 8 are home repositories. That means from private persons. No quality control. No compatibility tests. Earlier or later (more earlier), the use of home repositories will lead to serious issues on your system. You need to be confident to solve these.

5

Oh, wow … and especially #7 (xz utils) … that brings back a bad memory that happened Mar 2024 … we were using TW back then and our TW machines got that horrendous “xz” update that contained the sophisticated backdoor (CVE-2024-3094) - sadly, the backdoor version was included in the “zypper dup”.

I would especially avoid a “home” repo of xz utils!

6

A basic check shows, that “xz” is only part of the repo name. There is no single trace of the xz package in that repo…

1 Like
7

I downloaded them from https://software.opensuse.org/ because I found it difficult to download directly from the site of the software. I didn’t realise the use of home repositories could ever lead to issues, I mean it’s where it automatically install to when you complete the terminal commands.

8

What was the “xz” and “xz utils” exactly and where did it come from, was it also an openSuse specific issue or Linux generally?

9

A general problem:

10

Be sure to read the article provided in @Sauerland 's Reply, which gives overall details.

It was a vulnerability NOT specifically for openSUSE, but (could have) affected all Linux distros that include the “xz Utils”.

Here’s a thread that was posted out here in openSUSE Forum (TW section / tag), when it was discovered in TW: