GNOME defers non-security updates. Does this reduce security of third-party apps e.g. Chrome?

Question

GNOME Software defers updates which are not "important" for a week two weeks[1]. It helps avoid overwhelming users, particularly on Fedora Linux.

On Fedora, this works by the repo specifically marking updates with security fixes.[2][3] On Debian and Ubuntu (only?!), it works by detecting the name of a specific repo for security updates.[4]

So what about internet-facing software from third-party repos? I'm thinking of popular repos google-chrome and rpmfusion (for media software).

Do Google bother to set up these fine details across all the Linux distributions they support? Are the rpmfusion packages I look at with changelogs like "Update to 3.0.0 - snapshot 20160614", really reviewing the upstream changes for security fixes, and marking the corresponding updates?

Answer 1

It seems as if this suspicion is correct:

dnf -q updateinfo list installed sec shows only Fedora packages. This is despite having installed packages from both google-chrome and rpmfusion repos. dnf updateinfo info -v installed google-chrome-stable is simply blank, whereas the same command for package kernel includes Type: security, and a list of fixed bugs including CVEs (globally registered security bugs).

I'm confident there should be security updates here. Web browser releases always include new security updates, and the current version of Google Chrome is no exception.

I'd be surprised to find RPMFusion is doing any better than Google.

Looking at the source code, GNOME Software looks for security updates and also "important" updates. Google Chrome isn't being marked as a security update. The libhif plugin (for packagekit on Fedora) doesn't appear to mark any updates as "Important" either.