I confirm the bug. --advisory-severities option is document as "limit…", but it does not do an intersection:

# dnf5 advisory list --security --advisory-severities=critical
Updating and loading repositories:
Repositories loaded.
Name                   Type     Severity                           Package              Issued
FEDORA-2024-43a0920f12 security Low      perl-Clipboard-0.29-1.fc39.noarch 2024-04-10 14:44:52

I think the reason is compatibility with old dnf which is unfortunately also doing an union.

I agree that the docs should definitely be fixed (both man pages and --help).
I have also noticed that the --help of advisory commands refers to packages which is confusing because its filtering advisories. This is probably caused by the fact that the options are shared with other commands.

I have created a patch, but I am not sure whether we should modify the behavior or modify DNF5 in more complex way.

I think that both following command should target the same set of advisories (The PR change behavior for all commands), but is it OK?

dnf5 advisory list --security --advisory-severities=critical

dnf5 upgrade --security --advisory-severities=critical

What do you think?

Both commands should behave the same.

I'm for changing it to an intersection because users who want an union can use the options in separate calls. Contrary with the union behavior, users cannot not achieve the intersection.

I agree that all the commands should behave the same.

I also prefer intersection but changing it now could be quite unexpected for users.

I agree that all the commands should behave the same.

I also prefer intersection but changing it now could be quite unexpected for users.

@kontura May I ask you when you would prefer that the change happen?

@kontura May I ask you when you would prefer that the change happen?

I think the best time was when we introduced the advisory options to dnf5 but since the change was rejected at that time due to compatibility concerns I wanted to mention it.

I am still not sure whether the change make sense from upgrade command usages.

I think that command dnf5 upgrade --security --advisory-severities=critical with a result that both filters are applied with and operator os OK and expected.

But other combination might be difficult dnf5 upgrade --advisory FEDORA-2024-1706127797 --security

• It returns updates for advisory FEDORA-2024-a7a8f8f01b and all other security updates
• The new behavior results in an empty set because the advisory has the Bugfix type.
• It means that after the change several combination of filters would be allowed but not usable.

Other combination might be difficult dnf5 upgrade --advisory FEDORA-2024-1706127797 --bzs 2271998

• It returns updates for advisory FEDORA-2024-a7a8f8f01b and bugzilla 2271998
• The new behavior results in an empty set because the advisory does not fix the Bugzilla.

The same problem is related to CVEs.

What about to only modify applying and operator between type and severity? (#1467)
Or we can add a restrictions that only some combination will be not allowed.

I will repeat myself, I like the new behavior more.

What about to only modify applying and operator between type and severity?

Does severity exists in non-security advisories?

Yes, severity is used with other types of advisories, but not so often

===============================================================================
  Update ID: FEDORA-2024-39f1aba503
       Type: bugfix
    Updated: 2024-05-01 03:36:32
       Bugs: 2276226 - python-identify-2.5.36 is available
Description: 2.5.36
   Severity: Low