Table of Contents
Quick Summary
- Rocky Linux project team introduced an optional, opt-in Security Repository for Rocky Linux that provides urgent security "hot-fixes" for critical vulnerabilities.
- It is specifically designed for situations where a vulnerability is public, exploit code is circulating, and official upstream patches are not yet available.
- Since it prioritizes speed over standard release cycles, it is disabled by default to preserve the predictable and stable behavior expected by most users.
Introduction
Rocky Linux developers usually release a fix after the official upstream (Red Hat) version became available. While this approach provides great stability, it also creates a dangerous "security gap" when hackers release exploits before a patch exists.
To solve this, the team introduced the Rocky Linux Security Repository. This new repository acts as an emergency bridge for administrators who cannot afford to wait for upstream fixes while active threats circulate.
Why Rocky Linux Changed Course
Historically, Rocky Linux users had to wait for upstream releases to stay 100% compatible. However, the recent vulnerabilities like Copy Fail, Dirty Frag, and Fragnesia changed this. These bugs were "deterministic", meaning they worked every single time without fail. Even worse, attackers released public exploit code while administrators were still waiting for upstream patches.
As noted in the official announcement, this put administrators in a position where they were aware of the risk but had no way to fix it. Therefore, the project decided to offer a narrow, deliberate exception to its "upstream-only" rule.
What the Security Repository Does (And Doesn't)
The security repository is not a permanent change in direction for the OS. Instead, it serves as a temporary solution for specific, high-risk scenarios. Here is what you need to know about its design:
- It is Disabled by Default: Your system will stay exactly as it is unless you choose to opt in. This ensures that Rocky Linux remains predictable and stable for the average user.
- It is an Emergency Bridge: Packages in this repository provide "hot-fixes" for urgent risks. They do not include traditional errata records because they are not meant to be permanent, long-term fixes.
- Upstream Always Wins: The team versions these packages so that the next official upstream update will automatically replace them. As a result, users eventually land back on 100% upstream-aligned code.
The First Real Test: Dirty Frag and Fragnesia
The repository saw its first real use during the Dirty Frag and Fragnesia events. These vulnerabilities allowed unprivileged users to gain root access by corrupting the kernel's page cache. Since these threats were so reliable and the exploits were public, Rocky Linux used the security repository to ship its first emergency kernel patches.
Initially, these patches even addressed modules like rxrpc that the upstream provider chose not to fix because they are not part of a standard production setup.
This shows how the security repository gives Rocky team the flexibility to protect its community during unique crises.
How to Enable the Security Repository in Rocky Linux
If you manage a multi-tenant system or a container build farm, you likely need these accelerated fixes. You can enable the Rocky Linux security repository in two ways:
For a One-Time Update, run this command:
sudo dnf --enablerepo=security update
For Permanent Use: You can change your DNF settings to keep the repository enabled at all times.
If you do not need these emergency fixes, you can simply do nothing. Your system will continue to follow the standard release cycle you have always used.
When to use it: Use this repository if you run public-facing servers or systems with many users where a "Zero Day" exploit could cause immediate harm.
When to skip it: If your servers are isolated and only your trusted team has access, you can likely wait for the standard upstream updates.
