Bug 1947872

Summary: crypto-policies uses Recommends crypto-policies-scripts
Product: Red Hat Enterprise Linux 9 Reporter: Jan Pazdziora <jpazdziora>
Component: crypto-policiesAssignee: Alexander Sosedkin <asosedki>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: low Docs Contact:
Priority: low    
Version: 9.0CC: jpazdziora, jwboyer, omoris, pvrabec
Target Milestone: betaKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: crypto-policies-20210628-1.gitdd7d273.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-17 15:54:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Pazdziora 2021-04-09 13:01:24 UTC 
Description of problem:

RHEL 9 Content Structure and Guidelines state that weak dependencies in BaseOS are allowed, but discouraged.

By using the Recommends weak dependencies especially for packages in @core group (Minimal host installation) or their direct dependencies, the recommended package gets pulled into the installed package set depending on the current configuration of the dnf transaction.

The crypto-policies package Recommends crypto-policies-scripts.

If that package is needed by crypto-policies for correct operation, Requires should be used.

If crypto-policies-scripts essential in minimal host installations, it should be listed in the @core group in the comps file, not pulled in as a weak side-effect of having crypto-policies in @core.

If it is listed primarily for convenience, Suggests might be better option. Or just drop the weak dependency completely.

Version-Release number of selected component (if applicable):

crypto-policies-20210218-1.git2246c55.el9.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. dnf remove -y crypto-policies-scripts
2. dnf reinstall -y crypto-policies

Actual results:

================================================================================
 Package                 Arch   Version                     Repository     Size
================================================================================
Reinstalling:
 crypto-policies         noarch 20210218-1.git2246c55.el9   beaker-BaseOS  56 k
Installing weak dependencies:
 crypto-policies-scripts noarch 20210218-1.git2246c55.el9   beaker-BaseOS  67 k
 grubby                  x86_64 8.40-51.el9                 beaker-BaseOS  37 k

Expected results:

Only crypto-policies reinstalled.

Additional info:

For the grubby in the output please see separate bug 1947871.
Comment 2 Alexander Sosedkin 2021-04-09 13:54:12 UTC 
crypto-policies-scripts is needed to switch the crypto-policy active on the system to something other than DEFAULT.
It used to be a single package with crypto-policies and was only extracted out of it
solely because UBI wanted to avoid python in the minimal image (bz1832743).

What do I need to do to add it to @core? Would that cause a regression for the UBI folks?
Is Recommends + @core OK or is this discouraged as well?
Comment 3 Jan Pazdziora 2021-04-09 15:10:32 UTC 
Josh, is pull request to https://pagure.io/fedora-comps/blob/main/f/comps-eln.xml.in still the way to modify RHEL 9 comps or has the process since changed?

Given that UBI images don't contain for example systemd, I assume they are not using @core group for specifying package sets anyway.

The biggest problem with Recommends is that depending on --excludeWeakdeps option to %packages in the kickstart and install_weak_deps setting in dnf, the end result is different, which is not really nice for repeatability. So ideally removing that Recommends would be best.
Comment 5 Josh Boyer 2021-04-12 17:54:53 UTC 
(In reply to Jan Pazdziora from comment #3)
> Josh, is pull request to
> https://pagure.io/fedora-comps/blob/main/f/comps-eln.xml.in still the way to
> modify RHEL 9 comps or has the process since changed?

Changed.  Use centos-stream comps:

https://gitlab.com/redhat/centos-stream/release-engineering/comps

> Given that UBI images don't contain for example systemd, I assume they are
> not using @core group for specifying package sets anyway.

They are not.  They're built from kickstarts that specify --nocore

> The biggest problem with Recommends is that depending on --excludeWeakdeps
> option to %packages in the kickstart and install_weak_deps setting in dnf,
> the end result is different, which is not really nice for repeatability. So
> ideally removing that Recommends would be best.
Comment 6 Alexander Sosedkin 2021-05-11 15:22:58 UTC 
On a second thought, I now think that the reasons to add it to @core are solid enough. Nothing in there seems to depend on non-platform python.

Can I just keep it the way it is now?

 * no @core because python dependency
 * recommended and not suggested as it contains the fundamental package functionality expected from crypto-policies package
 * recommended and not required as it can be avoided for setups that only use DEFAULT policy
Comment 7 Jan Pazdziora 2021-05-11 15:46:20 UTC 
What is the problem of having packages in @core the require python? There's dnf there, for example. Why can't crypto-policies-scripts go to @core?
Comment 8 Alexander Sosedkin 2021-05-11 16:29:14 UTC 
Hm, you're right, they both seem to be content with platform-python.
Filed https://gitlab.com/redhat/centos-stream/release-engineering/comps/-/merge_requests/36

Can I keep the Recommends?
Comment 9 Jan Pazdziora 2021-05-13 13:55:35 UTC 
Keeping the Recommends is discouraged as it bring non-determinism to the installation, so it'd be good if it could be removed. With the -scripts package now listed in @core, it will get installed in most typical installations. Removing the Recommends will allow easy installation for example in containers where changing the crypto policy is not anticipated.
Comment 17 errata-xmlrpc 2022-05-17 15:54:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: crypto-policies), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3953