Bug 1263235 - audit in F23 is older than in F22, breaks upgrade
Summary: audit in F23 is older than in F22, breaks upgrade
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: audit
Version: 23
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Steve Grubb
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: AcceptedBlocker
Depends On:
Blocks: F23BetaBlocker Beta0Day, F23Beta0Day
TreeView+ depends on / blocked
 
Reported: 2015-09-15 11:55 UTC by Kamil Páral
Modified: 2015-09-19 18:54 UTC (History)
5 users (show)

Fixed In Version: 2.4.4-2.fc23
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-09-19 18:54:13 UTC
Type: Bug


Attachments (Terms of Use)

Description Kamil Páral 2015-09-15 11:55:27 UTC
Description of problem:
$ sudo dnf system-upgrade download --releasever=23
<snip>
Skipping packages with broken dependencies:
 setroubleshoot                x86_64 3.3.1-0.2.fc23               fedora 220 k
 setroubleshoot-server         x86_64 3.3.1-0.2.fc23               fedora 274 k

$ sudo dnf system-upgrade download --releasever=23 --best
Error: package audit-libs-python3-2.4.3-1.fc23.x86_64 requires audit = 2.4.3-1.fc23, but none of the providers can be installed.
package setroubleshoot-server-3.3.1-0.2.fc23.x86_64 requires audit-libs-python3 >= 1.2.6-3, but none of the providers can be installed

This is caused by the fact that F23 contains audit-2.4.3-1.fc23.x86_64, but F22 contains audit-2.4.4-1.fc22.x86_64. Since system-upgrade uses "update" and not "distro-sync", it refuses to install a lower version and in turn it holds back setroubleshoot from upgrading.

Please note that upgradepath check correctly informed about this problem a month ago:
https://bodhi.fedoraproject.org/updates/audit-2.4.4-1.fc22#comment-117637
The fact that the update was pushed nonetheless is unfortunate, but at least it tried to alert people about this.


Version-Release number of selected component (if applicable):
audit-2.4.4-1.fc22.x86_64
audit-2.4.3-1.fc23.x86_64

Comment 1 Kamil Páral 2015-09-15 11:58:06 UTC
This breaks the following Beta requirement:
" The upgraded system must include all packages that would be present on the system after a default installation from install media, plus any packages the user previously had (minus any obsolete content). "
https://fedoraproject.org/wiki/Fedora_22_Beta_Release_Criteria#Upgrade_requirements

audit and setroubleshoot are part of the default installation set, at least on Workstation.

Comment 2 Adam Williamson 2015-09-15 18:46:57 UTC
I kinda feel like the blocker process just isn't the right way to handle these cases, but I'm not sure what is. Note the criterion was really meant to be about packages not package *versions*, but the exact way we apply the criteria isn't really the issue, the issue is 'what's the right way to handle upgradepath bugs for the release process'.

And of course there's the old perennial 'should upgrades be distro-sync'. Of course, we have the option of simply including `--distro-sync` in the documented instructions for using dnf-system-upgrade, I guess.

Still, given that it's the process we have right now, tentative +1 from me.

For now I think I'm going to tweak the wiki pages to hedge a bit.

Comment 3 Steve Grubb 2015-09-16 07:04:40 UTC
I'll try to get a build out soon. I needed to push 2.4.4 because of a CVE that people were exposed to on F22/21. For some reason, the build failed in F23 and it was a very unusual failure. I needed a F23 VM to see what is going on. I have not been able to get one to install. (No iso images for the alpha.) I now have the TC5 iso and will see if I can recreate the build failure.

Comment 4 Peter Robinson 2015-09-16 11:19:49 UTC
(In reply to Steve Grubb from comment #3)
> I'll try to get a build out soon. I needed to push 2.4.4 because of a CVE
> that people were exposed to on F22/21. For some reason, the build failed in
> F23 and it was a very unusual failure. I needed a F23 VM to see what is
> going on. I have not been able to get one to install. (No iso images for the
> alpha.) I now have the TC5 iso and will see if I can recreate the build
> failure.

I've fixed it and building an update now. It's because with the linker was using the distro linker flags which are hardened and but the build wasn't using the distro CFLAGs with the appropriate hardening bits. Passing the CFLAGS through make fixes this.

You might want to look at the package in other versions as it looks like the package isn't generally built with the appropriate $CFLAGS

Comment 5 Fedora Update System 2015-09-16 11:32:06 UTC
audit-2.4.4-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-16016

Comment 6 Stephen Gallagher 2015-09-16 12:16:28 UTC
I'd give this a +1 blocker as well, but as a "special blocker" (needs to be fixed and in the stable repo before we announce Beta release, but doesn't necessitate a change to the frozen package set).

Comment 7 Fedora Update System 2015-09-16 17:51:09 UTC
audit-2.4.4-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update audit'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-16016

Comment 8 Adam Williamson 2015-09-17 16:20:45 UTC
Discussed at 2015-09-17 Fedora 23 Beta Go/No-Go meeting, acting as a blocker review meeting: https://meetbot-raw.fedoraproject.org/teams/f23_beta_go_no-go_meeting/f23_beta_go_no-go_meeting.2015-09-17-16.00.log.txt . Accepted as a 'special blocker': in this context that means we are requiring that this update must be in the 0-day update set for Beta. It does *not* need to be included in the frozen Beta repo or media.

We really ought to have a better process for tracking such issues, but for now the blocker process is what we've got.

Comment 9 Fedora Update System 2015-09-19 18:54:11 UTC
audit-2.4.4-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.