Bug 1263235 - audit in F23 is older than in F22, breaks upgrade
audit in F23 is older than in F22, breaks upgrade
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: audit (Show other bugs)
23
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Steve Grubb
Fedora Extras Quality Assurance
AcceptedBlocker
:
Depends On:
Blocks: F23BetaBlocker Beta0Day/F23Beta0Day
  Show dependency treegraph
 
Reported: 2015-09-15 07:55 EDT by Kamil Páral
Modified: 2015-09-19 14:54 EDT (History)
5 users (show)

See Also:
Fixed In Version: 2.4.4-2.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-09-19 14:54:13 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kamil Páral 2015-09-15 07:55:27 EDT
Description of problem:
$ sudo dnf system-upgrade download --releasever=23
<snip>
Skipping packages with broken dependencies:
 setroubleshoot                x86_64 3.3.1-0.2.fc23               fedora 220 k
 setroubleshoot-server         x86_64 3.3.1-0.2.fc23               fedora 274 k

$ sudo dnf system-upgrade download --releasever=23 --best
Error: package audit-libs-python3-2.4.3-1.fc23.x86_64 requires audit = 2.4.3-1.fc23, but none of the providers can be installed.
package setroubleshoot-server-3.3.1-0.2.fc23.x86_64 requires audit-libs-python3 >= 1.2.6-3, but none of the providers can be installed

This is caused by the fact that F23 contains audit-2.4.3-1.fc23.x86_64, but F22 contains audit-2.4.4-1.fc22.x86_64. Since system-upgrade uses "update" and not "distro-sync", it refuses to install a lower version and in turn it holds back setroubleshoot from upgrading.

Please note that upgradepath check correctly informed about this problem a month ago:
https://bodhi.fedoraproject.org/updates/audit-2.4.4-1.fc22#comment-117637
The fact that the update was pushed nonetheless is unfortunate, but at least it tried to alert people about this.


Version-Release number of selected component (if applicable):
audit-2.4.4-1.fc22.x86_64
audit-2.4.3-1.fc23.x86_64
Comment 1 Kamil Páral 2015-09-15 07:58:06 EDT
This breaks the following Beta requirement:
" The upgraded system must include all packages that would be present on the system after a default installation from install media, plus any packages the user previously had (minus any obsolete content). "
https://fedoraproject.org/wiki/Fedora_22_Beta_Release_Criteria#Upgrade_requirements

audit and setroubleshoot are part of the default installation set, at least on Workstation.
Comment 2 Adam Williamson 2015-09-15 14:46:57 EDT
I kinda feel like the blocker process just isn't the right way to handle these cases, but I'm not sure what is. Note the criterion was really meant to be about packages not package *versions*, but the exact way we apply the criteria isn't really the issue, the issue is 'what's the right way to handle upgradepath bugs for the release process'.

And of course there's the old perennial 'should upgrades be distro-sync'. Of course, we have the option of simply including `--distro-sync` in the documented instructions for using dnf-system-upgrade, I guess.

Still, given that it's the process we have right now, tentative +1 from me.

For now I think I'm going to tweak the wiki pages to hedge a bit.
Comment 3 Steve Grubb 2015-09-16 03:04:40 EDT
I'll try to get a build out soon. I needed to push 2.4.4 because of a CVE that people were exposed to on F22/21. For some reason, the build failed in F23 and it was a very unusual failure. I needed a F23 VM to see what is going on. I have not been able to get one to install. (No iso images for the alpha.) I now have the TC5 iso and will see if I can recreate the build failure.
Comment 4 Peter Robinson 2015-09-16 07:19:49 EDT
(In reply to Steve Grubb from comment #3)
> I'll try to get a build out soon. I needed to push 2.4.4 because of a CVE
> that people were exposed to on F22/21. For some reason, the build failed in
> F23 and it was a very unusual failure. I needed a F23 VM to see what is
> going on. I have not been able to get one to install. (No iso images for the
> alpha.) I now have the TC5 iso and will see if I can recreate the build
> failure.

I've fixed it and building an update now. It's because with the linker was using the distro linker flags which are hardened and but the build wasn't using the distro CFLAGs with the appropriate hardening bits. Passing the CFLAGS through make fixes this.

You might want to look at the package in other versions as it looks like the package isn't generally built with the appropriate $CFLAGS
Comment 5 Fedora Update System 2015-09-16 07:32:06 EDT
audit-2.4.4-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-16016
Comment 6 Stephen Gallagher 2015-09-16 08:16:28 EDT
I'd give this a +1 blocker as well, but as a "special blocker" (needs to be fixed and in the stable repo before we announce Beta release, but doesn't necessitate a change to the frozen package set).
Comment 7 Fedora Update System 2015-09-16 13:51:09 EDT
audit-2.4.4-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update audit'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-16016
Comment 8 Adam Williamson 2015-09-17 12:20:45 EDT
Discussed at 2015-09-17 Fedora 23 Beta Go/No-Go meeting, acting as a blocker review meeting: https://meetbot-raw.fedoraproject.org/teams/f23_beta_go_no-go_meeting/f23_beta_go_no-go_meeting.2015-09-17-16.00.log.txt . Accepted as a 'special blocker': in this context that means we are requiring that this update must be in the 0-day update set for Beta. It does *not* need to be included in the frozen Beta repo or media.

We really ought to have a better process for tracking such issues, but for now the blocker process is what we've got.
Comment 9 Fedora Update System 2015-09-19 14:54:11 EDT
audit-2.4.4-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.