Bug 31649

Summary: Nothing obsoletes lib64verto-tevent1-0.3.1-2.mga8
Product: Mageia Reporter: Marcel Pol <marcel>
Component: RPM PackagesAssignee: Guillaume Rousse <guillomovitch>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: libverto-0.3.2-2.mga9.src.rpm CVE:
Status comment:

Description Marcel Pol 2023-03-09 12:07:02 CET 
Checking my mga9 install for mga8 packages I saw this one:
lib64verto-tevent1-0.3.1-2.mga8

Trying to remove it resulted in this dependency:
# rpm -e lib64verto-tevent1-0.3.1-2.mga8
error: Failed dependencies:
	libverto-module-base is needed by (installed)
	gssproxy-0.9.1-1.mga9.x86_64

When trying to install that requirement manually it has 2 proposals:
# urpmi libverto-module-base
1- lib64verto-libev1-0.3.2-2.mga9.x86_64
2- lib64verto-libevent1-0.3.2-2.mga9.x86_64

I do think upgrading from mga8 to mga9 should upgrade as many packages
as possible.
Probably both proposed upgrades should obsolete the mga8 package.
Comment 1 Dave Hodgins 2023-03-09 16:53:45 CET 
lib packages are not supposed to be obsoleted unless they interfere with
the new packages. The requires in gssproxy could be altered so ensure one of
the new packages does get installed, but the old lib should not be removed
unless absolutely necessary for the new package to work.

The reason old lib packages do not get obsoleted is to allow compatibility
with third party software.

Does gssproxy work with the older lib?

CC: (none) => davidwhodgins

Comment 2 Lewis Smith 2023-03-09 20:20:33 CET 
Would it not be more sensible that 'gssproxy' works with one of the new proposed libraries? Of which 'lib64verto-libevent1' looks the closest.
This looks like a dependency problem for gssproxy, which guillomovitch looks after. So assigning this to him.

Assignee: bugsquad => guillomovitch

Comment 3 Marcel Pol 2023-03-10 12:06:10 CET 
gssproxy is simply a dependency of nfs-utils, which works fine for me.
With the old lib and new lib gssproxy starts from the systemd-unit by using 'systemctl start gssproxy'. It also starts in both cases in interactive mode with 'gssproxy -i'.
I haven't tested any further functionality, since I don't really know or use the package.

I do understand the problem "should" be fixed in gssproxy deps. But since it is a virtual Provides for libverto-module-base, which is provided by lib64verto-event1 and lib64verto-ev1, and in mga8 also by lib64verto-tevent1, it might be a simple solution to have lib64verto-event1 obsolete lib64verto-tevent1. But I also understand that might be unwanted, and I have no clue if both libs are interchangeable in all ways.

Anyway, guillomovitch knows the package better, so I trust he knows how to work on this.
Comment 4 Marcel Pol 2023-03-10 13:43:18 CET 
Just a thought. I can imagine gssproxy requiring libverto-module-base version >= 0.3.2. This would install a new mga9 package, leaving lib64verto-tevent1 from mga8 as a leaf orphan package that can be uninstalled easily.
Comment 5 Guillaume Rousse 2023-03-10 18:07:10 CET 
Versionned dependencies are supposed to express software requirements, using them to force package upgrade between release seems a dirty hack. And I don't see any problem having leftover packages after an upgrade, as long as they work.
Feel free to force removal and reinstall if you're not confortable with.
Comment 6 Dave Hodgins 2023-03-10 18:47:17 CET 
Comment 4 is an appropriate solution. It ensures that a Mageia 9 version of
the libs is installed when upgrading from m8, so that the user can then
uninstall leftover m8 packages (if desired) without having gssproxy get
uninstalled too.
Comment 7 Guillaume Rousse 2023-03-11 17:19:29 CET 
That would still be an ugly hack for a non-existing problem. Just prove there is  something wrong with this kind of situation, and not just a cosmetic issue, and I may reconsider my position, otherwise that's a wontfix for me.
Comment 8 Dave Hodgins 2023-03-11 17:44:31 CET 
If after m8 support ends, there is a security update that affects the m8
lib, then the users still using the m8 lib (which will be everyone using
gssproxy in m8 who then upgrade) will be left with insecure versions.

Putting in version+ specific requires could be done now, or at that time
provided this issue is not forgotten. It would require monitoring
libverto-0.3.1-2 for security issues for the duration of m9 support (possibly
longer) or until version specific requires do get added.
Comment 9 Guillaume Rousse 2023-03-23 10:30:57 CET 
I opted for Fedora strategy instead:
- stricter version dependencies between main library package and its module
- obsoleting of old tevent module

This seems safer and more readable, as safe-contained in libverto package.
Comment 10 Guillaume Rousse 2023-03-23 10:33:51 CET 
And the real issue here, actually, is why does anyone need a mandatory kerberos proxy for NFS, whereas I highly doubt any casual mageia user would ever use such kind of exotic configuration ?
Comment 11 Marcel Pol 2023-03-23 12:08:25 CET 
Thank you, I can confirm that the upgrade works well.

And yes, if that proxy dependency would be removed for Mageia 10, there would be enough time for beta testers to complain, if they even use that :)

Resolution: (none) => FIXED
Status: NEW => RESOLVED