Corretto not identifiable to having security vulnerbailities via yum

Question

Corretto not identifiable to having security vulnerbailities via yum

albuch opened this issue 5 years ago · 1 comments

As amazoncorretto is not installed via Amazon Linux Repo but manually as a rpm package with a different package name -devel it can't be picked up by security scanners that there is a vulnerable outdated version.

Is there a reason as to why you manually download rpm packages rather than using the packages distributed by the Amazon Linux repo?
As of now I only see downsides to the manual installation process:

it's more complex
it suppresses additional information like ALAS entries and upgrade possibilities via yum

Answer 1 · 2019-10-18T16:11:12.000Z

@albuch This is a historical decision which made sense at the time but right now is likely unnecessary. You make good points on why it's better to return to native RPM installs, so we'll take a look at that soon.

Thanks.