Red Hat Bugzilla – Bug 1551279
authselect pulls in a LOT of extra dependencies than authconfig
Last modified: 2018-03-26 18:28:50 EDT
authselect appears to pull in all possible means of doing authentication to ensure everything is available rather than just being able to configure the options that are actually available.
This is a change in how authconfig worked previously and pulls in a lot of extra dependencies bloating things like minimal images and potentially containers.
# dnf upgrade
Last metadata expiration check: 1:19:21 ago on Sun 04 Mar 2018 10:11:22 AM UTC.
Package Arch Version Repository
realmd armv7hl 0.16.3-11.fc28 fedora 208 k
authselect armv7hl 0.3-3.fc28 fedora 24 k
authselect-compat armv7hl 0.3-3.fc28 fedora 29 k
replacing authconfig.armv7hl 7.0.1-5.fc28
authselect-libs armv7hl 0.3-3.fc28 fedora 46 k
avahi-libs armv7hl 0.7-8.fc28 fedora 54 k
cups-libs armv7hl 1:2.2.6-11.fc28 fedora 383 k
cyrus-sasl-gssapi armv7hl 2.1.26-37.fc28 fedora 45 k
libipa_hbac armv7hl 1.16.0-12.fc28 fedora 84 k
libsmbclient armv7hl 2:4.8.0-0.4.rc3.fc28 fedora 126 k
libwbclient armv7hl 2:4.8.0-0.4.rc3.fc28 fedora 104 k
oddjob armv7hl 0.34.4-4.fc28 fedora 75 k
psmisc armv7hl 23.1-3.fc28 fedora 146 k
python2 armv7hl 2.7.14-13.fc28 fedora 101 k
python2-libs armv7hl 2.7.14-13.fc28 fedora 5.8 M
python2-pip noarch 9.0.1-16.fc28 fedora 1.8 M
python2-setuptools noarch 38.4.0-3.fc28 fedora 622 k
python2-talloc armv7hl 2.1.11-5.fc28 fedora 23 k
samba-client-libs armv7hl 2:4.8.0-0.4.rc3.fc28 fedora 4.3 M
samba-common noarch 2:4.8.0-0.4.rc3.fc28 fedora 202 k
samba-common-libs armv7hl 2:4.8.0-0.4.rc3.fc28 fedora 150 k
samba-common-tools armv7hl 2:4.8.0-0.4.rc3.fc28 fedora 409 k
samba-libs armv7hl 2:4.8.0-0.4.rc3.fc28 fedora 254 k
samba-winbind-modules armv7hl 2:4.8.0-0.4.rc3.fc28 fedora 111 k
sssd-ad armv7hl 1.16.0-12.fc28 fedora 193 k
sssd-common-pac armv7hl 1.16.0-12.fc28 fedora 137 k
sssd-ipa armv7hl 1.16.0-12.fc28 fedora 278 k
sssd-krb5 armv7hl 1.16.0-12.fc28 fedora 117 k
sssd-krb5-common armv7hl 1.16.0-12.fc28 fedora 144 k
sssd-ldap armv7hl 1.16.0-12.fc28 fedora 186 k
Installing weak dependencies:
adcli armv7hl 0.8.0-6.fc28 fedora 88 k
oddjob-mkhomedir armv7hl 0.34.4-4.fc28 fedora 46 k
samba-winbind armv7hl 2:4.8.0-0.4.rc3.fc28 fedora 490 k
sssd armv7hl 1.16.0-12.fc28 fedora 75 k
sssd-proxy armv7hl 1.16.0-12.fc28 fedora 110 k
Install 33 Packages
Upgrade 1 Package
Total download size: 17 M
Is this ok [y/N]:
It installs this as part of authselect-compat weak dependency (Recommends), I think it would be fine to use Suggests instead as we do in authselect package.
authselect-0.3.2-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a9853e65a1
authselect-0.3.2-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a9853e65a1
Proposing as a freeze exception for Beta, avoiding this bloat in minimal images seems worthwhile.
I took a look at the changes to the dependencies that were made in 0.3.1 and 0.3.2 and I think they're wrong. Suggests: dependencies are useless in this context; there is no UI in DNF or PackageKit to actually provide feedback to the user.
The use of Recommends: was, in fact, the correct behavior. Recommends: essentially means "we think a default install of this package should require this, but in limited situations they could function without it."
Suggests: is actually only used when the depsolver needs to resolve two different packages that can both satisfy a virtual dependency and when neither is already part of the transaction or currently-installed set. So having them here is completely non-functional.
So either these weak dependencies should be left as Recommends: (because you think the average user of the system should have them if they install authselect), or they should be removed entirely.[*]
Peter, I think what you are looking for in minimal images would have been already satisfied by `dnf --setopt=install_weak_deps=False upgrade realmd`. That usage of DNF really is how it should always be invoked in minimal environments.
[*] A future enhancement could be for authselect to do as realmd does and automatically install the necessary packages based on the auth mechanism the user has selected.
"The use of Recommends: was, in fact, the correct behavior. Recommends: essentially means "we think a default install of this package should require this, but in limited situations they could function without it.""
I'm not sure I agree this is correct, at least in context. The typical case in Fedora is not *really* going to be "the user chooses to install authselect", after all. In practice, it's just going to get installed as part of initial system install, or on upgrade of an existing install, as in Peter's example. And we really don't want it to pull in all this stuff to minimal installs in that case, I don't think. I don't expect to do a 'minimal' install of Fedora from the network install image and have all that stuff pulled in.
(In reply to Adam Williamson from comment #6)
> "The use of Recommends: was, in fact, the correct behavior. Recommends:
> essentially means "we think a default install of this package should require
> this, but in limited situations they could function without it.""
Oops; I was typing in stream-of-consciousness and meant to go back and change this line. It should have read more like "Recommends: was closer to the correct behavior, in that it essentially means "we think a default install of this package should require this, but in limited situations they could function without it."
However, looking closer into the actual way that authselect seems to work, I think the final, more correct approach would be to drop these dependencies *entirely*. Making them Suggests: doesn't result in them ever being pulled in anyway (and just grows the repodata).
Discussed during the 2018-03-26 blocker review meeting: 
The decision to classify this bug as an AcceptedFreezeException was made as it's desirable to remove the unwanted bits from the images that this addresses.
authselect-0.3.2-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.