zypper patch vs zypper up

Running zypper patch shows and installs packages labeled as patches and also includes upgrades. These install fine.
Running zypper up right afterwards shows additional upgrades. These also install without problems.
But, Running zypper up never shows any patches.

So, what is the difference between upgrades identified in zypper patch vs those identified by zypper up?
Why doesn’t zypper patch show and install all of the ugrades?
If one only runs zypper up, do you ever install the patches? Perhaps, they are invisible installs.

If anyone has any clarifications, please let me know. As for now, I run zypper patch followed by zypper up.

Not a major issue but, I’d like a clarification.

thanks, tom kosvic

Don’t see that here…just ran zypper -vvv up -t patch and saw two packages, ran zypper -vvv up it installed 37 packages, then ran zypper -vvv up -t patch and no packages to install as they where pulled in via the up.

I have been running “zypper patch” and “zypper up”.

I am not familiar with zypper -vvv up -t patch or 'zypper -vvv up` as mentioned in above response. Perhaps that is why am seeing what I see.

I will look up these zypper options.

thanks for the tip. tom kosvic

First, let’s distinguish patches from packages. Both are so called “resolvables” or “resource objects” the package manager works with. Now packages are more granular than patches. Packages can be in both the default repos and any other one you add to your system additionally.

Whereas patches are not real packages, they don’t contain any software per se, they only consist of pieces of information, mainly referring to individual packages via conflicts. So by installing a patch, what you’re really installing are packages whose older versions the patch is in conflict with. Let’s check some patch:

david@atronach-opensuse:~> LANG=C sudo zypper info --type patch openSUSE-SLE-15.3-2021-2830
Loading repository data...
Reading installed packages...

Information for patch openSUSE-SLE-15.3-2021-2830:
Repository  : repo-sle-update
Name        : openSUSE-SLE-15.3-2021-2830
Version     : 1
Arch        : noarch
Vendor      : maint-coord@suse.de
Status      : needed
Category    : security
Severity    : important
Created On  : Tue Aug 24 16:20:43 2021
Interactive : ---
Summary     : Security update for openssl-1_1
Description : 
    This update for openssl-1_1 fixes the following security issues:

    - CVE-2021-3711: A bug in the implementation of the SM2 decryption code
      could lead to buffer overflows. [bsc#1189520]

    - CVE-2021-3712: a bug in the code for printing certificate details could
      lead to a buffer overrun that a malicious actor could exploit to crash
      the application, causing a denial-of-service attack. [bsc#1189521]
Provides    : patch:openSUSE-SLE-15.3-2021-2830 = 1
Conflicts   : [28]
    libopenssl-1_1-devel.x86_64 < 1.1.1d-11.27.1
    libopenssl-1_1-devel.noarch < 1.1.1d-11.27.1
    libopenssl-1_1-devel-32bit.x86_64 < 1.1.1d-11.27.1
    libopenssl-1_1-devel-32bit.noarch < 1.1.1d-11.27.1
    libopenssl1_1.x86_64 < 1.1.1d-11.27.1
    libopenssl1_1.noarch < 1.1.1d-11.27.1
    libopenssl1_1-32bit.x86_64 < 1.1.1d-11.27.1
    libopenssl1_1-32bit.noarch < 1.1.1d-11.27.1
    libopenssl1_1-hmac.x86_64 < 1.1.1d-11.27.1
    libopenssl1_1-hmac.noarch < 1.1.1d-11.27.1
    libopenssl1_1-hmac-32bit.x86_64 < 1.1.1d-11.27.1
    libopenssl1_1-hmac-32bit.noarch < 1.1.1d-11.27.1
    openssl-1_1.src < 1.1.1d-11.27.1
    openssl-1_1.noarch < 1.1.1d-11.27.1
    openssl-1_1.x86_64 < 1.1.1d-11.27.1
    openssl-1_1-doc < 1.1.1d-11.27.1
    libopenssl-1_1-devel.s390x < 1.1.1d-11.27.1
    libopenssl1_1.s390x < 1.1.1d-11.27.1
    libopenssl1_1-hmac.s390x < 1.1.1d-11.27.1
    openssl-1_1.s390x < 1.1.1d-11.27.1
    libopenssl-1_1-devel.ppc64le < 1.1.1d-11.27.1
    libopenssl1_1.ppc64le < 1.1.1d-11.27.1
    libopenssl1_1-hmac.ppc64le < 1.1.1d-11.27.1
    openssl-1_1.ppc64le < 1.1.1d-11.27.1
    libopenssl-1_1-devel.aarch64 < 1.1.1d-11.27.1
    libopenssl1_1.aarch64 < 1.1.1d-11.27.1
    libopenssl1_1-hmac.aarch64 < 1.1.1d-11.27.1
    openssl-1_1.aarch64 < 1.1.1d-11.27.1

You can see all the pkgs the patch is in conflict with unless the specified version or a higher one of those packages is supplied. They also list the package variants for different CPU architectures so by installing the patch you’re not installing all of them but only those relevant for your CPU. Let’s verify it:

david@atronach-opensuse:~> LANG=C sudo zypper install --details --type patch openSUSE-SLE-15.3-2021-2830
Loading repository data...
Reading installed packages...
Resolving package dependencies...

The following NEW patch is going to be installed:
  openSUSE-SLE-15.3-2021-2830  1  noarch  repo-sle-update  maint-coord@suse.de

The following 3 packages are going to be upgraded:
  libopenssl-1_1-devel  1.1.1d-11.23.1 -> 1.1.1d-11.27.1  x86_64  repo-sle-update  SUSE LLC <https://www.suse.com/>
  libopenssl1_1         1.1.1d-11.23.1 -> 1.1.1d-11.27.1  x86_64  repo-sle-update  SUSE LLC <https://www.suse.com/>
  openssl-1_1           1.1.1d-11.23.1 -> 1.1.1d-11.27.1  x86_64  repo-sle-update  SUSE LLC <https://www.suse.com/>

3 packages to upgrade.
Overall download size: 2.3 MiB. Already cached: 0 B. After the operation, 17.0 B will be freed.
Continue? [y/n/v/...? shows all options] (y):

So you can see the patch pulls in the pkgs listed in the previous command output but of a higher version than what I have installed.

Also what is worth noting is that patches only come from default update repositories. Let’s list all patches available in all repositories set in my system:

david@atronach-opensuse:~> LANG=C zypper list-patches --all
Loading repository data...
Reading installed packages...

Repository            | Name                        | Category    | Severity  | Interactive | Status     | Summary
repo-backports-update | openSUSE-2021-1000          | recommended | moderate  | ---         | not needed | Recommended update for ckb-next
repo-backports-update | openSUSE-2021-1001          | recommended | moderate  | ---         | not needed | Recommended update for ristretto
repo-backports-update | openSUSE-2021-1002          | recommended | moderate  | ---         | not needed | Recommended update for fish3
repo-backports-update | openSUSE-2021-1003          | recommended | moderate  | ---         | not needed | Recommended update for trytond, trytond_account, trytond_account_invoice, trytond_account_invoice_stock, trytond_account_product, trytond_company, trytond_country, trytond_currency, trytond_party, trytond_product, trytond_purchase, trytond_purchase_request, trytond_stock, trytond_stock_lot, trytond_stock_supply
repo-backports-update | openSUSE-2021-1004          | security    | moderate  | ---         | not needed | Security update for live555
repo-backports-update | openSUSE-2021-1005          | recommended | moderate  | ---         | not needed | Recommended update for guake
repo-update           | openSUSE-2021-1008          | recommended | moderate  | ---         | not needed | Recommended update for atftp
repo-update           | openSUSE-2021-1011          | recommended | moderate  | ---         | not needed | Recommended update for xfce4-branding-openSUSE

You can see listed patches come from repo-backports-update and repo-update repos. I truncated the output but further bellow you would see patches coming from repo-sle-update repo as well. And that’s it. Patches don’t come from other repositories. So some people prefer to install just patches since they only get official packages from SUSE and openSUSE project this way so no worries about destabilization the system. Whereas if you run zypper update instead of zypper patch you’re installing packages from unofficial and user repositories too where no quality assurance or testing takes place so it might be riskier.

I hope I got it right. I welcome possible corrections.

The -vvv adds verbosity so you can see more info on where packages are coming from etc… AFAIK zypper patch and zypper up patch are the same…

As I see it in short:

zypper patch applies the patches that are available in the so called Update repos. These Update repos only exist as addition for the stnadard repos (OSS and non-OSS).

zypper up installs all newer versions of packages already installed (observing vendor stickiness as configured). This includes all that zypper patch would do.

When you have only standard repos and Packman then zypper patch will install all the patches (security and recommended) from Update-Oss and Update-non-OSS. zypper up will install the same plus newer versions from Packman.

Thanks for the very comprehensive discussions of the differences between patches, packages, and updates. I think the key element is that a patch is not an install entity on it’s own, but is a group of package updates that are listed additionally as upgrades…

For example, this morning (for me) zypper patch showed 4 patches and 12 upgrades. Without installing them, I ran zypper up which showed 12 upgrades that were the identical list shown by zypper patch. I installed the 12 zypper up upgrades. Then re-running zypper patch shows no patches available. These were satisfied by the 12 upgrades install.

thanks all for your insights. tom kosvic

Please, one thing, we dop not call those things “upgrades”.

An “upgrade” is used here for a complete step from one openSUSE version to a higher one. You will find e.g. the menu item Upgrade on the first menu of a bootable openSUSE installation medium.

thanks for the correction. I mistakingly typed upgrade when I should have said update. I am aware of the differences and appreciate the correction.

thanks again, tom kosvic

Not to beat a dead horse, but zypper patch and zypper up both list packages to be installed as “upgrades”, not “updates”.

However the post install message from zypper refers to the installed packages as both “upgrades” and “updates”.
See below:

There are running programs which still use files and libraries deleted or updated by recent upgrades. They should be restarted to benefit 
from the latest updates. Run 'zypper ps -s' to list these programs.

Yes, as so often, people are rather sloppy in using terms.

You will experience very often, also here in the forums, that people use terms that are imprecise or even right-out wrong. Often people do this because they think that others have the same understanding of the subject they have and thus will understand them. But I am afraid that more often terms are used because others use them and it looks good to use lingo, even if you do not know exactly what it means. :frowning:

E.g. people talk about “mounting disks” which is at best as shortcut to what they want to say, but more often shows a severe lack of understanding what “mounting” is.

But yes, the misunderstanding is not always due to the poor user. The above discussion comes down partly to: zypper patch installs from the Update repos. Go, figure.

I enjoyed this thread. It added to my knowledge. Thanks.