rpm-ostree db loses advisory information on subsequent deployment staging

[sdodson]

Expected vs actual behavior

After rpm-ostree has staged a deployment with advisories rpm-ostree status lists the security advisories. However, if a subsequent deployment gets staged and, I believe but haven't confirmed, that subsequent deployment does not add any advisories then the list of advisories gets cleared.

Expected:
Expect to see advisories listed

$ rpm-ostree status
State: idle
Deployments:
  fedora:fedora/38/x86_64/silverblue
                  Version: 38.20230920.0 (2023-09-20T00:52:52Z)
               BaseCommit: 5fbec9c2714ffb9ee8a73093fbb101b707e59164d689b7c0057c7d8dadc23712
             GPGSignature: Valid signature by 6A51BBABBA3D5467B6171221809A8D7CEB10B464
            SecAdvisories: 1 low, 1 moderate, 1 important, 2 critical
                     Diff: 66 upgraded, 3 added
          LayeredPackages: git gnome-pomodoro gnome-shell-extension-pomodoro gnome-tweak-tool gnome-tweaks google-chrome-stable intel-gpu-tools intel-media-driver java-17-openjdk-headless
                           krb5-auth-dialog krb5-workstation libva-intel-driver libva-utils make rpmfusion-free-release-38 rpmfusion-nonfree-release-38

● fedora:fedora/38/x86_64/silverblue
                  Version: 38.20230913.0 (2023-09-13T02:06:59Z)
               BaseCommit: e8c56e8e1ad95725a494ab7ac941ea38a0528a975aa7192c13f73919f62ffd24
             GPGSignature: Valid signature by 6A51BBABBA3D5467B6171221809A8D7CEB10B464
          LayeredPackages: git gnome-pomodoro gnome-shell-extension-pomodoro gnome-tweak-tool gnome-tweaks google-chrome-stable intel-gpu-tools intel-media-driver java-17-openjdk-headless
                           krb5-auth-dialog krb5-workstation libva-intel-driver libva-utils make rpmfusion-free-release-38 rpmfusion-nonfree-release-38

Actual:
Advisories not listed, notice the Diff count matches above and base commits are the same.

$ rpm-ostree status
State: idle
Deployments:
  fedora:fedora/38/x86_64/silverblue
                  Version: 38.20230920.0 (2023-09-20T00:52:52Z)
               BaseCommit: 5fbec9c2714ffb9ee8a73093fbb101b707e59164d689b7c0057c7d8dadc23712
             GPGSignature: Valid signature by 6A51BBABBA3D5467B6171221809A8D7CEB10B464
                     Diff: 66 upgraded, 3 added
          LayeredPackages: git gnome-pomodoro gnome-shell-extension-pomodoro gnome-tweak-tool gnome-tweaks google-chrome-stable intel-gpu-tools intel-media-driver java-17-openjdk-headless
                           krb5-auth-dialog krb5-workstation libva-intel-driver libva-utils make rpmfusion-free-release-38 rpmfusion-nonfree-release-38

● fedora:fedora/38/x86_64/silverblue
                  Version: 38.20230913.0 (2023-09-13T02:06:59Z)
               BaseCommit: e8c56e8e1ad95725a494ab7ac941ea38a0528a975aa7192c13f73919f62ffd24
             GPGSignature: Valid signature by 6A51BBABBA3D5467B6171221809A8D7CEB10B464
          LayeredPackages: git gnome-pomodoro gnome-shell-extension-pomodoro gnome-tweak-tool gnome-tweaks google-chrome-stable intel-gpu-tools intel-media-driver java-17-openjdk-headless
                           krb5-auth-dialog krb5-workstation libva-intel-driver libva-utils make rpmfusion-free-release-38 rpmfusion-nonfree-release-38

Steps to reproduce it

1. Stage a deployment with security advisories
2. rpm-ostree status to show staged deployment w/ advisories listed
3. Wait until additional updates become available
4. rpm-ostree update
5. rpm-ostree status no longer shows advisories

If I cleanup and update again the advisories reappear. I should've done more selective cleanup, but this worked

rpm-ostree cleanup -pbm
rpm-ostree update
rpm-ostree status

Would you like to work on the issue?
No :-(