Description of problem: Upstream metadata lists far fewer dependencies than listed the RPM spec which appears to be an inaccurate list of packages cited in require and use declarations in the code. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Potential to cause automatic installation of perl-Net-DNS-SEC without deliberate user involvement. This may have unpleasant legal consequences in some countries. Expected results: The documented Net::DNS API can be delivered by reducing this section of the RPM spec to something like: # Build BuildRequires: coreutils BuildRequires: findutils BuildRequires: glibc-common BuildRequires: make BuildRequires: sed BuildRequires: perl-generators BuildRequires: perl-interpreter BuildRequires: perl(ExtUtils::MakeMaker) BuildRequires: perl(Getopt::Long) BuildRequires: perl(IO::Socket::IP) # Runtime BuildRequires: perl(Carp) BuildRequires: perl(Digest::HMAC) BuildRequires: perl(Digest::MD5) BuildRequires: perl(Digest::SHA) BuildRequires: perl(Encode) BuildRequires: perl(Exporter) BuildRequires: perl(File::Spec) BuildRequires: perl(IO::File) BuildRequires: perl(IO::Select) BuildRequires: perl(IO::Socket::IP) >= 0.38 BuildRequires: perl(IO::Socket) BuildRequires: perl(MIME::Base64) BuildRequires: perl(PerlIO) BuildRequires: perl(Scalar::Util) BuildRequires: perl(Time::Local) # Net::LibIDN2 is optional # Digest::BubbleBabble is optional %if ! (0%{?rhel} >= 7) BuildRequires: perl(Digest::BubbleBabble) %endif # Tests only BuildRequires: perl(File::Find) BuildRequires: perl(Test::Builder) BuildRequires: perl(Test::More) # Optional tests: Requires: perl(Test::Pod) Additional info: With the specific exception of IO::Socket::IP (which has recent bug history), package versions can be ignored. Net::DNS::SEC and its internal components MUST NOT be listed as dependencies. Net::DNS::SEC is delivered separately because cryptographic software is prohibited or severely restricted in many territories. Net::DNS::SEC must be installed explicitly by the end-user who bears resonsibility for any legal consequences of so doing. Other packages referred to in the code fall into 5 categories: 1) Perl CORE packages assumed always to be present: base, constant, integer, overload, strict, warnings, Config 2) Fallback for missing prerequisites (accepting reduced functionality): IO::Socket::INET, Net::LibIDN 3) Support for obsolete algorithm not yet formally deprecated: Digest::GOST, Digest::GOST::CryptoPro 4) Irrelevant platform specific packages: Win32::API, Win32::IPHelper, Win32::TieRegistry 5) Support for developer inbuilt test functions (not in documented API): Data::Dumper Net::DNS::Extlang
This message is a reminder that Fedora 31 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 31 on 2020-11-24. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '31'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 31 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Net::DNS::SEC is present as a build dependency (to support running of optional tests) but not as a hard run-time dependency. It is a "Suggests" weak dependency in all current Fedora versions, which should not result in it being included by default when Net::DNS itself is installed. Do you have an example of where it has been installed when it should not have been?
I have no evidence of this behaviour with Fedora or RHEL, but there is no guarantee that will always remain so. However, this has happened in the past when doing CPAN installs, and Net::DNS::SEC was removed from the metadata for that specific reason. The test scripts take account of the likely absence of Net::DNS::SEC and the supplied pre-install tests should all run successfully. In the specific case of Net::DNS::SEC, the tests in perl-Net-DNS-SEC also cover the relevant parts of Net::DNS. Some or all of the optional dependencies need not be present when the RPM is built, but will be conditionally compiled in when executed on the end-user's machine. If some situation arises where this fails, responsibility for fixing it belongs upstream. Fedora/RHEL end users only install the RPM and are never exposed to the tests. Installation of perl-Net-DNS-SEC MUST be a deliberate action by the end user who must bear the legal consequences of so doing. See README in the Net::DNS::SEC distribution and at openssl.org/source/ There is no reason for the RPM Perl dependencies not to be in sync with the CPAN metadata. From the end-user pov, loading the RPM should be more or less equivalent to installing from CPAN.
(In reply to Dick Franks from comment #3) > Fedora/RHEL end users only install the RPM and are never exposed to the > tests. > Yes. > Installation of perl-Net-DNS-SEC MUST be a deliberate action by the end user > who must bear the legal consequences of so doing. And it so. Installing perl-Net-DNS does not trigger installing perl-Net-DNS-SEC: # rpm -q perl-Net-DNS-SEC package perl-Net-DNS-SEC is not installed # dnf install perl-Net-DNS Last metadata expiration check: 0:37:19 ago on Fri 06 Nov 2020 12:24:29 PM CET. Dependencies resolved. =========================================================================================================================================== Package Architecture Version Repository Size =========================================================================================================================================== Installing: perl-Net-DNS noarch 1.27-1.fc34 rawhide 368 k Transaction Summary =========================================================================================================================================== Install 1 Package > There is no reason for the RPM Perl dependencies not to be in sync with the > CPAN metadata. From the end-user pov, loading the RPM should be more or less > equivalent to installing from CPAN. You conflate build-time and run-time dependencies. The RPM package is built in Fedora infrastructure were BuildRequires are applied. An owner of the infrastructure takes the legal aspects of the build-time dependencies seriously <https://fedoraproject.org/wiki/Licensing>. The built RPM package is installed on the end user system where BuildRequires do not apply. And as I showed above it does not trigger installing perl-Net-DNS-SEC. The only RPM packages which trigger installing perl-Net-DNS-SEC are dnssec-tools and dnssec-tools-perlmods.