Corretto not identifiable to having security vulnerbailities via yum
albuch opened this issue · 1 comments
albuch commented
As amazoncorretto is not installed via Amazon Linux Repo but manually as a rpm package with a different package name -devel
it can't be picked up by security scanners that there is a vulnerable outdated version.
Is there a reason as to why you manually download rpm packages rather than using the packages distributed by the Amazon Linux repo?
As of now I only see downsides to the manual installation process:
- it's more complex
- it suppresses additional information like ALAS entries and upgrade possibilities via yum
davecurrie commented
@albuch This is a historical decision which made sense at the time but right now is likely unnecessary. You make good points on why it's better to return to native RPM installs, so we'll take a look at that soon.
Thanks.