Bug 1947872
| Summary: | crypto-policies uses Recommends crypto-policies-scripts | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Jan Pazdziora (Red Hat) <jpazdziora> |
| Component: | crypto-policies | Assignee: | Alexander Sosedkin <asosedki> |
| Status: | CLOSED ERRATA | QA Contact: | Ondrej Moriš <omoris> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 9.0 | CC: | jpazdziora, jwboyer, omoris, pvrabec |
| Target Milestone: | beta | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | crypto-policies-20210628-1.gitdd7d273.el9 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-17 15:54:31 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jan Pazdziora (Red Hat)
2021-04-09 13:01:24 UTC
crypto-policies-scripts is needed to switch the crypto-policy active on the system to something other than DEFAULT. It used to be a single package with crypto-policies and was only extracted out of it solely because UBI wanted to avoid python in the minimal image (bz1832743). What do I need to do to add it to @core? Would that cause a regression for the UBI folks? Is Recommends + @core OK or is this discouraged as well? Josh, is pull request to https://pagure.io/fedora-comps/blob/main/f/comps-eln.xml.in still the way to modify RHEL 9 comps or has the process since changed? Given that UBI images don't contain for example systemd, I assume they are not using @core group for specifying package sets anyway. The biggest problem with Recommends is that depending on --excludeWeakdeps option to %packages in the kickstart and install_weak_deps setting in dnf, the end result is different, which is not really nice for repeatability. So ideally removing that Recommends would be best. (In reply to Jan Pazdziora from comment #3) > Josh, is pull request to > https://pagure.io/fedora-comps/blob/main/f/comps-eln.xml.in still the way to > modify RHEL 9 comps or has the process since changed? Changed. Use centos-stream comps: https://gitlab.com/redhat/centos-stream/release-engineering/comps > Given that UBI images don't contain for example systemd, I assume they are > not using @core group for specifying package sets anyway. They are not. They're built from kickstarts that specify --nocore > The biggest problem with Recommends is that depending on --excludeWeakdeps > option to %packages in the kickstart and install_weak_deps setting in dnf, > the end result is different, which is not really nice for repeatability. So > ideally removing that Recommends would be best. On a second thought, I now think that the reasons to add it to @core are solid enough. Nothing in there seems to depend on non-platform python. Can I just keep it the way it is now? * no @core because python dependency * recommended and not suggested as it contains the fundamental package functionality expected from crypto-policies package * recommended and not required as it can be avoided for setups that only use DEFAULT policy What is the problem of having packages in @core the require python? There's dnf there, for example. Why can't crypto-policies-scripts go to @core? Hm, you're right, they both seem to be content with platform-python. Filed https://gitlab.com/redhat/centos-stream/release-engineering/comps/-/merge_requests/36 Can I keep the Recommends? Keeping the Recommends is discouraged as it bring non-determinism to the installation, so it'd be good if it could be removed. With the -scripts package now listed in @core, it will get installed in most typical installations. Removing the Recommends will allow easy installation for example in containers where changing the crypto policy is not anticipated. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (new packages: crypto-policies), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:3953 |