Bug 441677

Summary: yum-security plugin needs to pull in non-security dependancies
Product: [Fedora] Fedora Reporter: Bradley <bbaetz>
Component: yum-utilsAssignee: James Antill <james.antill>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 8CC: james.antill, jhutar, pmatilai, tim.lauridsen
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-26 10:56:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
debug output
none
debug output with patch (specifying package name)
none
Without the package name none

Description Bradley 2008-04-09 13:45:32 UTC 
Description of problem:

Using yum --security, if a package has a dependency that is being excluded
(because its not a security package), the rpm install fails. Instead, any
security packages and all dependencies should be installed (even if they're not
security updates themselves)

Version-Release number of selected component (if applicable):

yum-3.2.8-2.fc8
yum-security-1.1.11-1.fc8

xine-lib-1.1.11-1.fc8
xine-lib-extras-nonfree-1.1.11-1.lvn8

How reproducible:

Always

Steps to Reproduce:
1. Have above xine packages installed
2. Ensure that the updated 1.1.11.1-1 RPMs are available (both local and livna
mirrors)
3. yum --security -y update
  
Actual results:

Packages download, but install fails with:

ERROR with rpm_check_debug vs depsolve:
Package xine-lib-extras-nonfree needs xine-lib = 1.1.11, this is not available.

Expected results:

xine-lib-extras-nonfree is downloaded as well and installed to meet dependancies

Additional info:

- Debug (-d 5) attached

- yum update xine-lib (without --security) does work, so all the metadata on my
mirror is definitely OK.
Comment 1 Bradley 2008-04-09 13:45:32 UTC 
Created attachment 301805 [details]
debug output
Comment 2 James Antill 2008-04-09 14:23:55 UTC 
 Can you try this patch:

http://people.redhat.com/jantill/yum/patches/yum-sec-installed.patch
Comment 3 James Antill 2008-04-09 14:46:58 UTC 
 Also, if that doesn't work ... can you add the output for the "yum -d 5 update
xine-libs" case.
Comment 4 Bradley 2008-04-09 15:18:35 UTC 
Created attachment 301830 [details]
debug output with patch (specifying package name)

Well, sort of. With 'yum --security update xine-lib' it works.

However, if I don't specify a package name it fails. The new output says that
its updating 3 of 4 packages (the old one said 1 of 2), but it still doesn't
pull in the dep.

This debug is specifying the package name; the following one will be without
any package.
Comment 5 Bradley 2008-04-09 15:19:05 UTC 
Created attachment 301831 [details]
Without the package name
Comment 6 Bradley 2008-04-09 15:19:52 UTC 
Both those attachments were with the patch manually applied.
Comment 7 James Antill 2008-04-09 17:16:43 UTC 
 Ok, I'm pretty sure I've fixed this. Here's an updated security plugin:

http://people.redhat.com/jantill/yum/plugins/security.py

...just copy over the old one, I've only tested with 3.2.14 ... but it should
work :).
Comment 8 Bradley 2008-04-10 00:38:59 UTC 
That works, thanks. It does still say:

Needed 3 of 4 packages, for security

though.
Comment 9 James Antill 2008-04-10 03:13:26 UTC 
 Ok, thanks. I'll leave this BZ open at least until the fix is in rawhide.

 The message is intentional ... and is saying it removed 1 package from a normal
"yum update" (i.e. it needed 3 of the 4 available packages, due to security).
Comment 10 Bradley 2008-04-10 04:13:20 UTC 
But there are only 2 available packages, only one of which is a security
issue... Without the patch it said 1 of 2; it should say either 1/2 or 2/2
(making sure not to overcount if the extra package wasn't an update but was an
extra prereq)
Comment 11 James Antill 2008-04-10 04:28:08 UTC 
 Right, I've also changed it upstream to say "transactional packages" which is
kind of what it is counting.
 The extra numbers are because it's counting the old xine-lib packages you have
installed (which are being removed as part of the transaction).
Comment 12 Bug Zapper 2008-11-26 10:27:18 UTC 
This message is a reminder that Fedora 8 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 8.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '8'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 8's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 8 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 13 Bradley 2008-11-26 10:56:09 UTC 
Fixed for F10 (and was earlier pushed to F8 as an update, IIRC)