1947871 – crypto-policies-scripts uses Recommends for grubby

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1947871 - crypto-policies-scripts uses Recommends for grubby

Summary: crypto-policies-scripts uses Recommends for grubby

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	crypto-policies
Sub Component:
Version:	9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	beta
Target Release:	---
Assignee:	Alexander Sosedkin
QA Contact:	Ondrej Moriš
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-04-09 12:57 UTC by Jan Pazdziora
Modified:	2022-05-17 16:21 UTC (History)
CC List:	4 users (show)
Fixed In Version:	crypto-policies-20210628-1.gitdd7d273.el9
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-05-17 15:54:31 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2022:3953	0	None	None	None	2022-05-17 15:54:41 UTC

Description Jan Pazdziora 2021-04-09 12:57:57 UTC

Description of problem:

RHEL 9 Content Structure and Guidelines state that weak dependencies in BaseOS are allowed, but discouraged.

By using the Recommends weak dependencies especially for packages in @core group (Minimal host installation) or their direct dependencies, the recommended package gets pulled into the installed package set depending on the current configuration of the dnf transaction.

The crypto-policies-scripts package Recommends grubby.

If that package is needed by crypto-policies-scripts for correct operation, Requires should be used.

If grubby essential in minimal host installations, it should be listed in the @core group in the comps file, not pulled in as a weak side-effect of having crypto-policies-scripts in @core.

If it is listed primarily for convenience, Suggests might be better option. Or just drop the weak dependency completely.

Version-Release number of selected component (if applicable):

crypto-policies-scripts-20210218-1.git2246c55.el9.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. dnf remove -y grubby
2. dnf reinstall -y crypto-policies-scripts

Actual results:

================================================================================
 Package                 Arch   Version                     Repository     Size
================================================================================
Reinstalling:
 crypto-policies-scripts noarch 20210218-1.git2246c55.el9   beaker-BaseOS  67 k
Installing weak dependencies:
 grubby                  x86_64 8.40-51.el9                 beaker-BaseOS  37 k

Expected results:

Only crypto-policies-scripts reinstalled.

Additional info:

Comment 2 Alexander Sosedkin 2021-05-11 15:13:22 UTC

> If that package is needed by crypto-policies-scripts for correct operation, Requires should be used.

> If grubby essential in minimal host installations, it should be listed in the @core group in the comps file, not pulled in as a weak side-effect of having crypto-policies-scripts in @core.

> If it is listed primarily for convenience, Suggests might be better option. Or just drop the weak dependency completely.

IMO neither of these three apply 100%, can I just CLOSE WONTFIX this bug?

Comment 3 Jan Pazdziora 2021-05-11 15:17:36 UTC

So what is the reason for that Recommends? Doesn't pulling in grubby make sense for example only when kernel is installed, so boolean dependencies would be more appropriate?

Comment 4 Alexander Sosedkin 2021-05-11 15:29:20 UTC

For reconfiguring the kernel cmdline as part of fips-mode-setup; not used outside of switching into FIPS mode.

Comment 5 Jan Pazdziora 2021-05-14 13:19:00 UTC

So would

  Requires: (grubby if kernel)

be a more precise and descriptive representation of the intent?

Comment 6 Alexander Sosedkin 2021-05-14 13:35:10 UTC

No, most of the customers aren't FIPS-aware and crypto-policies has no need to depend on any bootloader configuration tools for switching policies other than FIPS.

Comment 7 Jan Pazdziora 2021-05-14 13:43:52 UTC

So

   Recommends: (grubby if kernel)

?

Note that currently crypto-policies-scripts depends on grubby in most deployments because few admins disable weak dependencies. Yes, the admin can remove grubby (either from the installation transaction or ex-post) but it will get installed again during crypto-policies-scripts.

Making the dependency conditional on the package that the tooling is expected to manage seems very much what the boolean dependencies are for.

Josh, what is your opinion about boolean dependencies for situations like this?

Comment 8 Josh Boyer 2021-05-14 18:15:16 UTC

(In reply to Jan Pazdziora from comment #7)
> So
> 
>    Recommends: (grubby if kernel)
> 
> ?
> 
> Note that currently crypto-policies-scripts depends on grubby in most
> deployments because few admins disable weak dependencies. Yes, the admin can
> remove grubby (either from the installation transaction or ex-post) but it
> will get installed again during crypto-policies-scripts.
> 
> Making the dependency conditional on the package that the tooling is
> expected to manage seems very much what the boolean dependencies are for.
> 
> Josh, what is your opinion about boolean dependencies for situations like
> this?

The boolean seems to make sense to me.

Stepping back and looking at the overall scenario, grubby is going to be on 90% of systems anyway.

Comment 9 Alexander Sosedkin 2021-05-18 13:03:29 UTC

I'm OK with the `Recommends: (grubby if kernel)` suggestion; note that it keeps the Recommends though.

Comment 17 errata-xmlrpc 2022-05-17 15:54:31 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: crypto-policies), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3953

Note You need to log in before you can comment on or make changes to this bug.