Bug 2271227 - RFE: Update Recommends to support sdubby as alternative to grubby
Summary: RFE: Update Recommends to support sdubby as alternative to grubby
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Fedora
Classification: Fedora
Component: crypto-policies
Version: 40
Hardware: Unspecified
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Red Hat Crypto Team
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 2271533
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-03-23 22:00 UTC by Gary Buhrmaster
Modified: 2024-04-02 15:16 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2024-04-02 15:16:15 UTC
Type: ---
Embargoed:
fedora-admin-xmlrpc: mirror+

Attachments (Terms of Use)
Patch supporting grubby or sdubby (453 bytes, patch)
2024-03-23 22:01 UTC, Gary Buhrmaster 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FC-1152 0 None None None 2024-03-24 01:41:57 UTC

Description Gary Buhrmaster 2024-03-23 22:00:01 UTC 
While crypto-policies-scripts has logic to handle the lack of /usr/sbin/grubby, it does Recommend grubby.  Note that until recently, sdubby had a "Provides: grubby" stanza, but that was removed recently.  Adding in sdubby as meeting the recommends returns crypto-policies-scripts to approximate equivalency before that other fix in sdubby.  Please consider updating the Recommend to be (grubby or sdubby) for those that are moving to systemd-boot.  In practice, grubby or sdubby are likely already installed, so the Recommend is a no-op, but it may make package resolution easier for dnf.

Proposed patch will be attached.

Reproducible: Didn't try
Comment 1 Gary Buhrmaster 2024-03-23 22:01:16 UTC 
Created attachment 2023280 [details]
Patch supporting grubby or sdubby
Comment 2 Gary Buhrmaster 2024-03-24 01:41:17 UTC 
Related (where sdubby no longer provides grubby): Bug 2269992
Comment 3 Clemens Lang 2024-03-25 09:10:10 UTC 
I'm not sure we want this, considering that sdubby does not actually seem to work with `fips-mode-setup`. See bug 2259197.
Comment 4 Gary Buhrmaster 2024-03-25 18:20:26 UTC 
(In reply to Clemens Lang from comment #3)
> I'm not sure we want this, considering that sdubby does not actually seem to
> work with `fips-mode-setup`. See bug 2259197.

I believe that issue was caused because sdubby "Provides: grubby" (and the sdboot version was > grubby) and now that sdubby has been changed to no longer provide grubby, it will not replace grubby (if installed).
Comment 5 Clemens Lang 2024-03-25 19:28:44 UTC 
(In reply to Gary Buhrmaster from comment #4)
> I believe that issue was caused because sdubby "Provides: grubby" (and the
> sdboot version was > grubby) and now that sdubby has been changed to no
> longer provide grubby, it will not replace grubby (if installed).

Correct. However, given that `fips-mode-setup` currently does not seem to work with sdubby (or maybe we're just trying on systems that aren't correctly set up for sdubby?), I don't think we should be adding the alternative dependency.
Comment 6 Gary Buhrmaster 2024-03-25 22:52:10 UTC 
(In reply to Clemens Lang from comment #5)

> Correct. However, given that `fips-mode-setup` currently does not seem to
> work with sdubby (or maybe we're just trying on systems that aren't
> correctly set up for sdubby?)

I think the problem is as reported in Bug 2271533 so I am going to add a "depends" on that bug.
Comment 7 Alexander Sosedkin 2024-04-02 15:16:15 UTC 
I'm with Clemens here, with the current state of sdubby's interface we shouldn't depend on it.
Once the situation changes we can re-consider, but if it stops providing `grubby` in $PATH, the change might involve more than just adding an rpm dependency.
Feel free to either reopen or file a more general "support sdubby in addition to grubby" ticket once it grows the featureset we're using.
Note You need to log in before you can comment on or make changes to this bug.