Bug 2271227

Summary: RFE: Update Recommends to support sdubby as alternative to grubby
Product: [Fedora] Fedora Reporter: Gary Buhrmaster <gary.buhrmaster>
Component: crypto-policiesAssignee: Red Hat Crypto Team <crypto-team>
Status: CLOSED DEFERRED QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 40CC: asosedki, cllang, crypto-team, luk.claes, rrelyea, tm
Target Milestone: ---Keywords: RFE
Target Release: ---Flags: fedora-admin-xmlrpc: mirror+
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-04-02 15:16:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2271533    
Bug Blocks:    
Attachments:
Description Flags
Patch supporting grubby or sdubby none

Description Gary Buhrmaster 2024-03-23 22:00:01 UTC 
While crypto-policies-scripts has logic to handle the lack of /usr/sbin/grubby, it does Recommend grubby.  Note that until recently, sdubby had a "Provides: grubby" stanza, but that was removed recently.  Adding in sdubby as meeting the recommends returns crypto-policies-scripts to approximate equivalency before that other fix in sdubby.  Please consider updating the Recommend to be (grubby or sdubby) for those that are moving to systemd-boot.  In practice, grubby or sdubby are likely already installed, so the Recommend is a no-op, but it may make package resolution easier for dnf.

Proposed patch will be attached.

Reproducible: Didn't try
Comment 1 Gary Buhrmaster 2024-03-23 22:01:16 UTC 
Created attachment 2023280 [details]
Patch supporting grubby or sdubby
Comment 2 Gary Buhrmaster 2024-03-24 01:41:17 UTC 
Related (where sdubby no longer provides grubby): Bug 2269992
Comment 3 Clemens Lang 2024-03-25 09:10:10 UTC 
I'm not sure we want this, considering that sdubby does not actually seem to work with `fips-mode-setup`. See bug 2259197.
Comment 4 Gary Buhrmaster 2024-03-25 18:20:26 UTC 
(In reply to Clemens Lang from comment #3)
> I'm not sure we want this, considering that sdubby does not actually seem to
> work with `fips-mode-setup`. See bug 2259197.

I believe that issue was caused because sdubby "Provides: grubby" (and the sdboot version was > grubby) and now that sdubby has been changed to no longer provide grubby, it will not replace grubby (if installed).
Comment 5 Clemens Lang 2024-03-25 19:28:44 UTC 
(In reply to Gary Buhrmaster from comment #4)
> I believe that issue was caused because sdubby "Provides: grubby" (and the
> sdboot version was > grubby) and now that sdubby has been changed to no
> longer provide grubby, it will not replace grubby (if installed).

Correct. However, given that `fips-mode-setup` currently does not seem to work with sdubby (or maybe we're just trying on systems that aren't correctly set up for sdubby?), I don't think we should be adding the alternative dependency.
Comment 6 Gary Buhrmaster 2024-03-25 22:52:10 UTC 
(In reply to Clemens Lang from comment #5)

> Correct. However, given that `fips-mode-setup` currently does not seem to
> work with sdubby (or maybe we're just trying on systems that aren't
> correctly set up for sdubby?)

I think the problem is as reported in Bug 2271533 so I am going to add a "depends" on that bug.
Comment 7 Alexander Sosedkin 2024-04-02 15:16:15 UTC 
I'm with Clemens here, with the current state of sdubby's interface we shouldn't depend on it.
Once the situation changes we can re-consider, but if it stops providing `grubby` in $PATH, the change might involve more than just adding an rpm dependency.
Feel free to either reopen or file a more general "support sdubby in addition to grubby" ticket once it grows the featureset we're using.