RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1947872 - crypto-policies uses Recommends crypto-policies-scripts
Summary: crypto-policies uses Recommends crypto-policies-scripts
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: crypto-policies
Version: 9.0
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: beta
: ---
Assignee: Alexander Sosedkin
QA Contact: Ondrej Moriš
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-04-09 13:01 UTC by Jan Pazdziora
Modified: 2022-05-17 16:21 UTC (History)
4 users (show)

Fixed In Version: crypto-policies-20210628-1.gitdd7d273.el9
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-05-17 15:54:31 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:3953 0 None None None 2022-05-17 15:54:41 UTC

Description Jan Pazdziora 2021-04-09 13:01:24 UTC 
Description of problem:

RHEL 9 Content Structure and Guidelines state that weak dependencies in BaseOS are allowed, but discouraged.

By using the Recommends weak dependencies especially for packages in @core group (Minimal host installation) or their direct dependencies, the recommended package gets pulled into the installed package set depending on the current configuration of the dnf transaction.

The crypto-policies package Recommends crypto-policies-scripts.

If that package is needed by crypto-policies for correct operation, Requires should be used.

If crypto-policies-scripts essential in minimal host installations, it should be listed in the @core group in the comps file, not pulled in as a weak side-effect of having crypto-policies in @core.

If it is listed primarily for convenience, Suggests might be better option. Or just drop the weak dependency completely.

Version-Release number of selected component (if applicable):

crypto-policies-20210218-1.git2246c55.el9.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. dnf remove -y crypto-policies-scripts
2. dnf reinstall -y crypto-policies

Actual results:

================================================================================
 Package                 Arch   Version                     Repository     Size
================================================================================
Reinstalling:
 crypto-policies         noarch 20210218-1.git2246c55.el9   beaker-BaseOS  56 k
Installing weak dependencies:
 crypto-policies-scripts noarch 20210218-1.git2246c55.el9   beaker-BaseOS  67 k
 grubby                  x86_64 8.40-51.el9                 beaker-BaseOS  37 k

Expected results:

Only crypto-policies reinstalled.

Additional info:

For the grubby in the output please see separate bug 1947871.
Comment 2 Alexander Sosedkin 2021-04-09 13:54:12 UTC 
crypto-policies-scripts is needed to switch the crypto-policy active on the system to something other than DEFAULT.
It used to be a single package with crypto-policies and was only extracted out of it
solely because UBI wanted to avoid python in the minimal image (bz1832743).

What do I need to do to add it to @core? Would that cause a regression for the UBI folks?
Is Recommends + @core OK or is this discouraged as well?
Comment 3 Jan Pazdziora 2021-04-09 15:10:32 UTC 
Josh, is pull request to https://pagure.io/fedora-comps/blob/main/f/comps-eln.xml.in still the way to modify RHEL 9 comps or has the process since changed?

Given that UBI images don't contain for example systemd, I assume they are not using @core group for specifying package sets anyway.

The biggest problem with Recommends is that depending on --excludeWeakdeps option to %packages in the kickstart and install_weak_deps setting in dnf, the end result is different, which is not really nice for repeatability. So ideally removing that Recommends would be best.
Comment 5 Josh Boyer 2021-04-12 17:54:53 UTC 
(In reply to Jan Pazdziora from comment #3)
> Josh, is pull request to
> https://pagure.io/fedora-comps/blob/main/f/comps-eln.xml.in still the way to
> modify RHEL 9 comps or has the process since changed?

Changed.  Use centos-stream comps:

https://gitlab.com/redhat/centos-stream/release-engineering/comps

> Given that UBI images don't contain for example systemd, I assume they are
> not using @core group for specifying package sets anyway.

They are not.  They're built from kickstarts that specify --nocore

> The biggest problem with Recommends is that depending on --excludeWeakdeps
> option to %packages in the kickstart and install_weak_deps setting in dnf,
> the end result is different, which is not really nice for repeatability. So
> ideally removing that Recommends would be best.
Comment 6 Alexander Sosedkin 2021-05-11 15:22:58 UTC 
On a second thought, I now think that the reasons to add it to @core are solid enough. Nothing in there seems to depend on non-platform python.

Can I just keep it the way it is now?

 * no @core because python dependency
 * recommended and not suggested as it contains the fundamental package functionality expected from crypto-policies package
 * recommended and not required as it can be avoided for setups that only use DEFAULT policy
Comment 7 Jan Pazdziora 2021-05-11 15:46:20 UTC 
What is the problem of having packages in @core the require python? There's dnf there, for example. Why can't crypto-policies-scripts go to @core?
Comment 8 Alexander Sosedkin 2021-05-11 16:29:14 UTC 
Hm, you're right, they both seem to be content with platform-python.
Filed https://gitlab.com/redhat/centos-stream/release-engineering/comps/-/merge_requests/36

Can I keep the Recommends?
Comment 9 Jan Pazdziora 2021-05-13 13:55:35 UTC 
Keeping the Recommends is discouraged as it bring non-determinism to the installation, so it'd be good if it could be removed. With the -scripts package now listed in @core, it will get installed in most typical installations. Removing the Recommends will allow easy installation for example in containers where changing the crypto policy is not anticipated.
Comment 17 errata-xmlrpc 2022-05-17 15:54:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: crypto-policies), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3953
Note You need to log in before you can comment on or make changes to this bug.