
Feature changed by: Michael Andres (mlandres) Feature #313088, revision 14 Title: allow patches that uninstall packages openSUSE Distribution: Unconfirmed Priority Requester: Important Requested by: Ludwig Nussel (lnussel) Partner organization: openSUSE.org Description: suppose security flaws are discovered in some leaf package that we cannot fix for some reason. We need a way to tell users of that package that they better uninstall the affected package. Previously we would have "solved" this by releasing a new version of the package without files. This is a rather ugly hack though. What we need is a special patch that when selected uninstalls the listed packages without causing e.g. packagekit to choke. Discussion: #1: Michael Schröder (mlschroe) (2011-12-19 15:52:44) As often, the libzypp/solver part is easy. Please propose how you want to encode such an uninstall request into updateinfo.xml. Also please ask the Fedora guys about their opinion, as we share the specification. #2: Ludwig Nussel (lnussel) (2011-12-19 16:03:37) (reply to #1) please go ahead, you're the expert #3: Michael Schröder (mlschroe) (2011-12-19 16:07:23) (reply to #2) But I'm not the Architect(TM) #4: Karl Cheng (qantas94heavy) (2016-11-18 04:04:22) I wonder if you think this is still right today, Ludwig... ;) #5: Ludwig Nussel (lnussel) (2016-12-05 15:02:54) (reply to #4) Yes I think so. It's also interesting for e.g. openSUSE:Backports #6: Sławomir Lach (lachu) (2016-12-06 17:12:37) It is good idea to also disallow to install package with security flaws? #8: Kai Dupke (kdupke) (2017-02-17 11:54:04) (reply to #6) Users might see this as too much managing them. And there might be reasons you want to have exactly this specific version, even it has a security flaw. Of course, having someone to acknowledge on this could be worth. #9: Jiri Srain (jsrain) (2017-04-10 08:04:07Z) I wonder if we need any handling in updateinfo at all. Can the patch itself just conflict with package we want to remove? Thorsten, you may want to have a look as an architect... + #10: Michael Andres (mlandres) (2017-04-19 08:40:22) (reply to #9) + Inside libsolv/libzypp a patch is an ordinary object just like a + package. A patch is created from an entry in updateinfo.xml by + translating the package list into a set of conflict dependencies. This + way the patch will conflict with installed versions less than the ones + mentioned in the updateinfo.xml. + A patch with actual conflicts, is called broken or needed. If such a + patch is selected, dependency resolution can resolve such conflict by + either updating the package or by removing it. + The common resolution to update the package is just because the update- + repo also provides the new rpm packages. If we'd mention a package in + the updateinfo.xml, but do not ship a new rpm package as well, + dependency resolution will (interactively) suggest to remove the the + package. For the sake of being more explicit or if we want to non- + interactively remove packages, we need to indicate that 'a package is + intentionally not shipped' (i.e. to be deleted) in the upadetinfo.xml. + Michael Schröder is probably more familiar with the upadetinfo.xml + format and he also 'owns' the parser; maybe he has some suggestion how + to encode this. Maybe just '<package>' entries without src/filename + attributes or an explicit '<delpkglist>'? Edit (#) Reply (#) -- openSUSE Feature: https://features.opensuse.org/313088