Bug 1292914

Summary: bodhi allows packages to be downgraded in stable releases
Product: [Fedora] Fedora Reporter: Andre Robatino <robatino>
Component: bodhiAssignee: Luke Macken <lmacken>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: crobinso, dennis, kparal, lmacken, pfrields, sergio
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-21 23:44:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1296711    

Description Andre Robatino 2015-12-18 17:48:04 UTC 
Description of problem:
qemu-2.4.1-3.fc23 was pushed to stable updates on December, then shortly afterwards 2.4.1-2 was pushed to stable. As a result, a distro-sync wants to downgrade to 2.4.1-2.

Version-Release number of selected component (if applicable):
qemu-2.4.1-2
qemu-2.4.1-3
Comment 1 Andre Robatino 2015-12-18 17:50:15 UTC 
Should read "pushed to stable updates on December 14".

See my comment in https://bodhi.fedoraproject.org/updates/FEDORA-2015-b2e8518b8e .
Comment 2 Dennis Gilmore 2015-12-18 17:54:12 UTC 
In this case bodhi should never have allowed qemu-2.4.1-2.fc23 to go stable
Comment 3 Luke Macken 2015-12-18 18:22:54 UTC 
So basically a +1 of -2 triggered the autokarma threshold and queued it up for stable two days after -3 was pushed. Bodhi needs to be smart enough to handle this scenario by either skipping the tagging, or ejecting the update from the push entirely.
Comment 4 Andre Robatino 2016-01-07 06:00:00 UTC 
Something similar happened again - libpng-1.6.19-1.fc23 was downgraded to libpng-1.6.17-3.fc23 after the latter was submitted for stable. See

https://bodhi.fedoraproject.org/updates/FEDORA-2015-4ad4998d00 (libpng-1.6.17-3.fc23)
https://bodhi.fedoraproject.org/updates/FEDORA-2015-9199a1bfe1 (libpng-1.6.19-1.fc23)

Dennis: please fix. Thanks.
Comment 5 Andre Robatino 2016-01-09 06:03:37 UTC 
Same thing just happened with bzip2 - the packager submitted an older version for stable and it downgraded a newer version. The version in stable is now -18.

https://bodhi.fedoraproject.org/updates/FEDORA-2015-4a9c774398 (bzip2-1.0.6-18.fc23)
https://bodhi.fedoraproject.org/updates/FEDORA-2015-be3a6f6ed8 (bzip2-1.0.6-19.fc23)

Dennis: please fix. Thanks.
Comment 6 Kamil Páral 2016-01-11 09:08:52 UTC 
Some good discussion about what exactly happened is here:
https://lists.fedoraproject.org/archives/list/test%40lists.fedoraproject.org/thread/K5X7652MWYS7NGOXTMQOLF57XPGP2Y25/
Comment 7 Sergio Basto 2016-01-15 23:32:41 UTC 
I opened this issue : 

https://github.com/fedora-infra/bodhi/issues/760

with, dnf list extras, I got bzip2-1.0.6-19.fc23 on the list .
Comment 8 Luke Macken 2016-01-21 23:44:08 UTC 
A potential fix has been proposed.

https://github.com/fedora-infra/bodhi/pull/768