Rocky Linux launches opt-in security repository for urgent fixes

Rocky Linux has introduced a Security Repository that allows the distribution to ship urgent security fixes ahead of upstream Enterprise Linux when public exploit code exists and upstream patches are unavailable.

“The repository is disabled by default. That’s intentional. The default Rocky Linux experience stays exactly what it has always been: predictable, stable, and fully upstream-compatible. Administrators who want access to accelerated fixes can opt in when they need it,” Eric Hendricks of the Rocky Linux team explained.

Administrators who want accelerated fixes can enable it with sudo dnf --enablerepo=security update or configure it permanently in their DNF settings. Systems that do not enable the repository continue to receive only standard upstream-aligned packages.

What triggered the change

Two recent vulnerabilities pushed the project to act. CopyFail and Dirty Frag were local privilege escalation flaws with public proof-of-concept exploits circulating before upstream had fixes broadly available. During those windows, Rocky Linux administrators had no supported path to a patched package.

Hendricks said the repository is reserved for a narrow scenario: a significant vulnerability is public, exploit code exists, and upstream fixes are not yet available. It is not a general-purpose fast-track channel and does not replace the standard Rocky Linux release process.

Package handling and limitations

Packages in the Security Repository are versioned to be superseded automatically by the next upstream release. When Red Hat ships a fix, the upstream package replaces the Rocky version. The repository does not issue traditional errata records and its updates do not appear in dnf update --security output, because the project does not treat them as formal advisories.

If Rocky issues a patch and upstream declines to address the underlying issue, the next upstream kernel release will replace the Rocky-patched version. Users who want to retain the Rocky fix in that situation would need to version-lock their kernel.