lynis icon indicating copy to clipboard operation
lynis copied to clipboard
verified publisher icon CISOfy

Fedora 42 version of lynis complains it is more than 4 months old.

Open jwadodson opened this issue 7 months ago • 2 comments

Describe the bug Fedora 42 version of lynis complains it is more than 4 months old.

This release is more than 4 months old. Check the website or GitHub to see if there is an update available.

Version

  • Distribution Fedora 42
  • Lynis version lynis.noarch 3.1.4-1.fc42 fedora

Expected behavior No suggestion to check github. Perhaps a forced version update to "distributions" every 3.5 months.

Output This release is more than 4 months old. Check the website or GitHub to see if there is an update available.

Additional context Perhaps a forced version update to "distributions" every 3.5 months.

jwadodson avatar May 29 '25 01:05 jwadodson

Detect if Lynis is running as a distribution package and offer update suggestions accordingly. A forced version update should occur for a distribution every 3.5 months to avoid this warning. Add a flag for suppressing warnings on officially packaged versions for Fedora.

tasmaiyajittikar avatar May 29 '25 02:05 tasmaiyajittikar

A new version is coming soon. Lynis provides this message to indicate that it might be outdated, to encourage users to upgrade (when possible).

mboelen avatar May 29 '25 12:05 mboelen

Be interested to know when updated version to drop... happy to test. Thank you for Lynis. R

rm-td avatar Jul 05 '25 19:07 rm-td

Version 3.1.5 is now available. We are thinking about changing the behavior yet encourages people to update.

mboelen avatar Jul 30 '25 22:07 mboelen

Several changes have been implemented today to alter the behavior. The time has been increased to 6 months, but also the reporting has been changed.

Forced version updates is not possible to many of the Linux distributions. This is because they usually freeze a package at a given moment in time and typically not update after that. So in the end, distributions may be providing an outdated version. That is exactly the reason for this check, so people don't stay on a very old version, but get introduced to the possibility to install newer version (e.g. via repository, tarball, Git, etc). This is especially important for changes that usually happen after the initial release of a Linux distribution release. The Lynis project and its users need a bit of time to discover it and then add improvements (e.g. detection, end-of-life date, specific tests, etc). Therefore we don't want Linux distributions (= usually the package maintainers) suppress this message.

Related commits: https://github.com/CISOfy/lynis/commit/49402a07b6812ee206b62abc43db0720120afa44 and https://github.com/CISOfy/lynis/commit/8866355258a269f775a715413b00b2a5a872189d

If you like to test functionality, feel free to manually change the Lynis version (e.g. to 3.1.0) in the file 'lynis'. Then do the testing. After that, set back the version and change the 6 months timestamp (TIME_DIFFERENCE_CHECK=15552000) and give it the value of 1. Then do the testing again and it should show you a different message compared to when a new release is available.

For now I will close this issue with the changes implemented.

mboelen avatar Jul 31 '25 12:07 mboelen

Thanks, your efforts are greatly appreciated. lynis.noarch 3.1.5-1.fc42 was installed today on FC42.

jwadodson avatar Aug 07 '25 13:08 jwadodson