Red Hat Bugzilla – Bug 1263235
audit in F23 is older than in F22, breaks upgrade
Last modified: 2015-09-19 14:54:13 EDT
Description of problem:
$ sudo dnf system-upgrade download --releasever=23
Skipping packages with broken dependencies:
setroubleshoot x86_64 3.3.1-0.2.fc23 fedora 220 k
setroubleshoot-server x86_64 3.3.1-0.2.fc23 fedora 274 k
$ sudo dnf system-upgrade download --releasever=23 --best
Error: package audit-libs-python3-2.4.3-1.fc23.x86_64 requires audit = 2.4.3-1.fc23, but none of the providers can be installed.
package setroubleshoot-server-3.3.1-0.2.fc23.x86_64 requires audit-libs-python3 >= 1.2.6-3, but none of the providers can be installed
This is caused by the fact that F23 contains audit-2.4.3-1.fc23.x86_64, but F22 contains audit-2.4.4-1.fc22.x86_64. Since system-upgrade uses "update" and not "distro-sync", it refuses to install a lower version and in turn it holds back setroubleshoot from upgrading.
Please note that upgradepath check correctly informed about this problem a month ago:
The fact that the update was pushed nonetheless is unfortunate, but at least it tried to alert people about this.
Version-Release number of selected component (if applicable):
This breaks the following Beta requirement:
" The upgraded system must include all packages that would be present on the system after a default installation from install media, plus any packages the user previously had (minus any obsolete content). "
audit and setroubleshoot are part of the default installation set, at least on Workstation.
I kinda feel like the blocker process just isn't the right way to handle these cases, but I'm not sure what is. Note the criterion was really meant to be about packages not package *versions*, but the exact way we apply the criteria isn't really the issue, the issue is 'what's the right way to handle upgradepath bugs for the release process'.
And of course there's the old perennial 'should upgrades be distro-sync'. Of course, we have the option of simply including `--distro-sync` in the documented instructions for using dnf-system-upgrade, I guess.
Still, given that it's the process we have right now, tentative +1 from me.
For now I think I'm going to tweak the wiki pages to hedge a bit.
I'll try to get a build out soon. I needed to push 2.4.4 because of a CVE that people were exposed to on F22/21. For some reason, the build failed in F23 and it was a very unusual failure. I needed a F23 VM to see what is going on. I have not been able to get one to install. (No iso images for the alpha.) I now have the TC5 iso and will see if I can recreate the build failure.
(In reply to Steve Grubb from comment #3)
> I'll try to get a build out soon. I needed to push 2.4.4 because of a CVE
> that people were exposed to on F22/21. For some reason, the build failed in
> F23 and it was a very unusual failure. I needed a F23 VM to see what is
> going on. I have not been able to get one to install. (No iso images for the
> alpha.) I now have the TC5 iso and will see if I can recreate the build
I've fixed it and building an update now. It's because with the linker was using the distro linker flags which are hardened and but the build wasn't using the distro CFLAGs with the appropriate hardening bits. Passing the CFLAGS through make fixes this.
You might want to look at the package in other versions as it looks like the package isn't generally built with the appropriate $CFLAGS
audit-2.4.4-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-16016
I'd give this a +1 blocker as well, but as a "special blocker" (needs to be fixed and in the stable repo before we announce Beta release, but doesn't necessitate a change to the frozen package set).
audit-2.4.4-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update audit'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-16016
Discussed at 2015-09-17 Fedora 23 Beta Go/No-Go meeting, acting as a blocker review meeting: https://meetbot-raw.fedoraproject.org/teams/f23_beta_go_no-go_meeting/f23_beta_go_no-go_meeting.2015-09-17-16.00.log.txt . Accepted as a 'special blocker': in this context that means we are requiring that this update must be in the 0-day update set for Beta. It does *not* need to be included in the frozen Beta repo or media.
We really ought to have a better process for tracking such issues, but for now the blocker process is what we've got.
audit-2.4.4-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.