On a production system or system that needs to be kept in a stable state you will not want to use the dist-upgrade option except in certain situations.
Patches are meant for specific bug fixes and security fixes for software that comes packaged by Open SUSE and is maintained in the Main Updates repository.If you are using Open SUSE as your desktop OS you may notice that running “zypper up” will show more updates than you see through the GUI.This is because by default Yast Online Update (which is where the gui tools in gnome, and kde retrieve update information) only shows official software patches.zypper is called with the --root option and the snapshot as argument.If the update did succeed, we cleanup the snapshot, switch it to read-only if the original root filesystem is read-only and make this subvolume the new default.We can take this a step further and pull down all the details of what packages will change if we patch this particular cve, by calling the info option with zypper and passing in the name of the patch we want to look at in this case “Open SUSE-2017-462”When I’m writing a script I would tend to use the more verbose method, just so that the next person looking at it (or me 6 months later) will have a better chance of understanding what I was doing.
Either way you choose to run this command you will receive output similar to this: Information for patch open SUSE-2017-462: —————————————- Repository : Main Update Repository Name : open SUSE-2017-462 Version : 1 Arch : noarch Vendor : [email protected] : needed Category : security Severity : moderate Created On : Wed AM EDT Interactive : — Summary : Security update for gimp Description : This update for gimp fixes the following issues: This security issue was fixed:– CVE-2007-3126: Context-dependent attackers were able to cause a denial of service via an ICO file with an Info Header containing a Height of zero (bsc#1032241).
However, if you want to ensure that you have a stable and undisturbed desktop experience, there is certainly nothing wrong with limiting your updates to patches.
One of the great things about working with patches is the vast amount of information that is available for them that can be accessed straight from the command line.
These non-security issues were fixed:– bsc#1025717: Prefer lcms2 over lcms1 if both are available – bgo#593576: Preven crash in PDF Import filter when importing large image PDF or specifying high resolution Provides : patch:open SUSE-2017-462 = 1 Conflicts :  gimp.i586 A released patch conflicts with the affected/vulnerable versions of a collection of packages.
As long as any of these affected/vulnerable versions are installed, the conflict triggers and the patch is classified as needed, optional or as unwanted if the patch is locked.” In proper context the conflict is a trigger to let us and the system know that an updated package is available to fix the vulnerability.
A single patch might include several package updates to mitigate a specific security vulnerability or bug fix.