# Description of problem: An update to the package "lib64webkit2gtk4.0_37" has introduced dependencies on bubblewrap and xdg-dbus-proxy, which ends up pulling in the entire Flatpak stack. On my system (see also the attached screenshots), the "New dependencies" section of Mageia's update GUI lists the following packages: * bubblewrap * flatpak * geoclue * lib64flatpak-gir1.0 * lib64flatpak0 * lib64geoclue2_0 * lib64mm-glib0 * lib64ostree1 * lib64pipewire0.2_1 * lib64webkit2gtk-gir4.0 * ostree * pipewire * webkit2 * xdg-dbus-proxy * xdg-desktop-portal * xdg-desktop-portal-gtk (For the record, I'm running KDE as my desktop environment, so if I actually wanted to install Flatpak, I'd want the package "xdg-desktop-portal-kde", not "xdg-desktop-portal-gtk") The dependency list on Sophie (http://sophie.zarb.org/rpms/eb76dab251fc08a1d4dd54066d4fcbb4/deps) only lists 2 of the Flatpak-related packages (bubblewrap and xdg-dbus-proxy). However, according to an email on the development mailing list (https://ml.mageia.org/l/arc/dev/2020-11/msg00377.html), xdg-dbus-proxy recommends flatpak, which is how all those other packages get pulled in. I haven't got a 32-bit system set up to test with, but I'm guessing that 32-bit versions of Mageia would be affected as well, as Sophie also lists xdg-dbus-proxy as a dependency for the 32-bit "libwebkit2gtk4.0_37" package (http://sophie.zarb.org/rpms/c74a52c576af7cda4b126adb84edbac0/deps) # Version-Release number of selected component (if applicable): * lib64webkit2gtk4.0_37-2.30.3-1.mga7.x86_64.rpm * libwebkit2gtk-gir4.0-2.30.3-1.mga7.i586.rpm (I haven't got a 32-bit installation to test, but Sophie indicates that it has the same unnecessary dependencies - see http://sophie.zarb.org/rpms/efc4b8dd289d47ca7146ea882bd957d6/deps) # How reproducible: Always # Steps to Reproduce: ## If you haven't yet installed the update, and you don't currently have the Flatpak stack installed: 1. Run Mageia's GUI updater 2. Verify that Flatpak-related packages are appearing in the list of updates 3. Verify that these Flatpak-related packages are listed in the "New dependencies" section for lib64webkit2gtk4.0_37 (or libwebkit2gtk4.0_37, if you're running a 32-bit version of Mageia) ## If you've already installed the update, or you already had the Flatpak stack installed to begin with 1. Install a fresh copy of Mageia 7.1, without an Internet connection (to guarantee that you're installing packages from Core Release, rather than Core Updates). You need to make sure that libwebkit2gtk4.0_37 or lib64webkit2gtk4.0_37 gets installed, so I'd recommend the following setup: 1.1 Use the Classic Installer 1.2 On the "Desktop Selection" step, select "Custom" 1.3 On the "Package Group Selection" step, make sure that "GNOME Workstation" and "Internet station" are ticked. This should guarantee that the installer will install GNOME Web, which will pull in libwebkit2gtk4.0_37 / lib64webkit2gtk4.0_37 as a dependency. 2. After the installation is complete, connect to the Internet. 3. Run Mageia's GUI updater 4. Verify that Flatpak-related packages are appearing in the list of updates 5. Verify that these Flatpak-related packages are listed in the "New dependencies" section for lib64webkit2gtk4.0_37 (or libwebkit2gtk4.0_37, if you're running a 32-bit version of Mageia)
Sorry, I provided the wrong URLs to Sophie (they point to the dependency lists for lib64webkit2gtk-gir4.0 and libwebkit2gtk-gir4.0, instead of lib64webkit2gtk4.0_37 and libwebkit2gtk4.0_37). Here are the correct Sophie URLs: # 64-bit http://sophie.zarb.org/rpms/e4b63715e9808d8a34676802b66d579b/deps # 32-bit http://sophie.zarb.org/rpms/c74a52c576af7cda4b126adb84edbac0/deps
Created attachment 12030 [details] The "New dependencies" list for the package "lib64webkit2gtk4.0_37"
Created attachment 12031 [details] The "New dependencies" list for the package "lib64webkit2gtk-gir4.0 Based on the dependency list on Sophie (http://sophie.zarb.org/rpms/eb76dab251fc08a1d4dd54066d4fcbb4/deps), it seems that there's nothing wrong with the dependencies for this package - it's just that it depends on lib64webkit2gtk4.0_37, which does have the unnecessary dependencies.
You can avoid the recommended packages by installing the updates with --no-recommends. The addition to the webkit2 SPEC file explains these additions pretty well. As webkit2 is gtk-based, it does use xdg-portal-desktop-gtk, not the kde one. # These are hard requirements of WebKit's bubblewrap sandbox. Requires: bubblewrap Requires: xdg-dbus-proxy # If Geoclue is not running, the geolocation API will not work. Recommends: geoclue2 # If no xdg-desktop-portal backend is installed, many features will be broken # inside the sandbox. In particular, the -gtk backend has to be installed for # desktop settings access, including font settings. Recommends: xdg-desktop-portal-gtk
Assignee: bugsquad => nicolas.salgueroResolution: (none) => INVALIDStatus: NEW => RESOLVEDCC: (none) => thierry.vignaud
Created attachment 12032 [details] urpmi --auto-select logs Using or not using --no-recommends is not the question. An update should not bloat a system in such proportions. (see attached logs) lib64webkit2gtk4.0_37 -> xdg-desktop-portal - > flatpack -> ostree -> pipewire I think QA validation should also perform a deps test case such as: ROOT=/tmp/T mkdir $ROOT urpmi --auto --root $ROOT --justdb --media Core\ Release basesystem-minimal urpmi --auto --root $ROOT --justdb --media Core\ Release the_old_pkg urpmi --auto-select --root $ROOT --justdb # And then if quite a lot of new pkgs got installed, raise an alert It could be automated by using a QA script I've run urpmi with --bug a_dir_name before so I can provide you with an archive to use with urpmi --env if you want…
We've caught in QA incorrectly added dependencies (like devel ones to non-devel packages) before, but the added dependencies here were not incorrect, as I showed above, just a function again of the updated software (and the example you gave was still avoidable through not installing recommends). You can complain upstream about the additions, but there's nothing else we could do.
(In reply to David Walser from comment #4) > You can avoid the recommended packages by installing the updates with > --no-recommends. The addition to the webkit2 SPEC file explains these > additions pretty well. As webkit2 is gtk-based, it does use > xdg-portal-desktop-gtk, not the kde one. > > > # These are hard requirements of WebKit's bubblewrap sandbox. > Requires: bubblewrap > Requires: xdg-dbus-proxy > > # If Geoclue is not running, the geolocation API will not work. > Recommends: geoclue2 > > # If no xdg-desktop-portal backend is installed, many features will be broken > # inside the sandbox. In particular, the -gtk backend has to be installed for > # desktop settings access, including font settings. > Recommends: xdg-desktop-portal-gtk I apologise - I reported the bug against the wrong package. I've looked through the SRPM spec files now, and as you say, it's reasonable for lib64webkit2gtk4.0_37 and libwebkit2gtk4.0_37 to depend on bubblewrap and xdg-dbus-proxy, and to recommend geoclue2 and xdg-desktop-portal-gtk. I assume it's also reasonable for xdg-desktop-portal-gtk to depend on xdg-desktop-portal, but correct me if I'm wrong. I think the problem probably lies with xdg-desktop-portal. According to http://sophie.zarb.org/rpms/3f0d690c1bf943da4a121fe7dc70b4db/files/2, the SRPM for xdg-desktop-portal contains the following line: # Required version for icon validator. Recommends: flatpak >= 1.2.0 Can anyone provide clarification on what the "Required for icon validator" comment means? I'm guessing it just means that, if you intend to use xdg-desktop-portal with flatpak, you need to ensure that flatpak is updated to at least version 1.2.0. If my assumption above is correct, then the Recommends: relationship would have made sense, at a time when xdg-desktop-portal was basically only utilised by flatpak; however, now that the WebKit stack has a use for it as well, xdg-desktop-portal should downgrade the relation to a Suggests:. Unless there's some feature of xdg-desktop-portal that's broken in the absence of flatpak - but I doubt that.
Source RPM: webkit2-2.30.3-1.mga7.src.rpm => xdg-desktop-portal-1.4.2-1.mga7.src.rpm
Created attachment 12043 [details] The "New dependencies" list for the package "xdg-desktop-portal".
Attachment 12031 is obsolete: 0 => 1 Attachment 12030 is obsolete: 0 => 1
Should I reopen this bug report (possibly after editing the title)? Or should I create a clean bug report, with corrections to the bug description?
Agreed, let's have Neal take a look.
Resolution: INVALID => (none)Status: RESOLVED => REOPENEDAssignee: nicolas.salguero => ngompa13CC: (none) => nicolas.salgueroSummary: libwebkit2gtk4.0_37 / lib64webkit2gtk4.0_37 update introduces unnecessary Flatpak dependencies => xdg-desktop-portal potentially unnecessary flatpak recommends
CC: (none) => christophe.nanteuil
(In reply to Thierry Vignaud from comment #5) > Created attachment 12032 [details] > urpmi --auto-select logs > > Using or not using --no-recommends is not the question. > An update should not bloat a system in such proportions. > (see attached logs) I approve that an update should not add these kinds of dependencies.
The update didn't, they were already there. They just got pulled in as the new webkit2 required the package that recommends them. Ping Neal...
Mageia 7 is EOL since July 1st 2021. There will not have any further bugfix for this release. You are encouraged to upgrade to Mageia 8 as soon as possible. @reporter, if this bug still apply with Mageia 8, please let us know it. @packager, if you work on the Mageia 7 version of your package, please check the Mageia 8 package if issue is also present. In this case, please fix the Mageia 8 version instead. This bug report will be closed OLD if there is no further notice within 1st September 2021.
(In reply to David Walser from comment #12) > The update didn't, they were already there. They just got pulled in as the > new webkit2 required the package that recommends them. > > Ping Neal... xdg-desktop-portal is effectively broken if *no* backend is installed. So *a* backend needs to be installed. Some cleverness would be required to do this more agnostically, but I don't see the harm in having the recommends.
As for the flatpak recommends, it was downgraded from Requires originally in xdg-desktop-portal 1.2.0. The original depenendency was added to express the need for "/usr/libexec/flatpak-validate-icon" to do icon validation. Since we can't have file dependencies in Mageia while we continue to use URPMI, this information was lost when we imported from Fedora to Mageia.
xdg-desktop-portal-kde requires flatpak, even though it also requires xdg-desktop-portal which recommends flatpak, so that seems wrong.
(In reply to David Walser from comment #16) > xdg-desktop-portal-kde requires flatpak, even though it also requires > xdg-desktop-portal which recommends flatpak, so that seems wrong. Icons don't render without it, as I understand it.
The status of this bug has barely changed since Mageia 7. xdg-desktop-portal still recommends flatpak, and as David has pointed out, xdg-desktop-portal-kde requires flatpak. In a change from Mageia 7, xdg-desktop-portal-gtk now recommends flatpak as well. As of Mageia 8, the "Steps to Reproduce" from my first comment are now obsolete, as the bug affects core-release now, not just core-updates. You can still verify the bug by reading the spec files on Sophie: # Cauldron ## xdg-desktop-portal-1.8.1-1.mga9.src.rpm http://sophie.zarb.org/rpms/c6790d06629600b47dcc3ccc66e8e93b/files/2 ## xdg-desktop-portal-gtk-1.8.0-2.mga8.src.rpm http://sophie.zarb.org/rpms/fe1a2d8ca2b5db1a46ffbd7914b2f97a/files/2 ## xdg-desktop-portal-kde-5.22.3-1.mga9.src.rpm http://sophie.zarb.org/rpms/d990e2bea0b04f40318e7bc9191329f6/files/2 # Mageia 8 ## xdg-desktop-portal-1.8.0-1.mga8.src.rpm http://sophie.zarb.org/rpms/fb577d6bfad1644a28fd7fa07ad81709/files/2 ## xdg-desktop-portal-gtk-1.8.0-2.mga8.src.rpm http://sophie.zarb.org/rpms/fe1a2d8ca2b5db1a46ffbd7914b2f97a/files/2 ## xdg-desktop-portal-kde-5.20.4-2.mga8.src.rpm http://sophie.zarb.org/rpms/46691af419506780bdf8b578786861ac/files/2
Version: 7 => CauldronWhiteboard: (none) => MGA8TOO
This bug definitely shouldn't be closed as OLD. But if it's unfixable, so long as we continue to use URPMI, then it could be closed as RESOLVED WONTFIX, or set to depend on a URPMI-related bug report.
Source RPM: xdg-desktop-portal-1.4.2-1.mga7.src.rpm => xdg-desktop-portal-1.8.1-1.mga9.src.rpm
This is not going to be "fixed", because this is intentional.
Resolution: (none) => WONTFIXStatus: REOPENED => RESOLVED