[zypp-devel] Bug 736100 - libzypp's patches application rules are flawed
See https://bugzilla.novell.com/show_bug.cgi?id=736100 The point is that suse patches indeed conflict with packages shipped by another vendor. -- cu, Michael Andres +------------------------------------------------------------------+ Key fingerprint = 2DFA 5D73 18B1 E7EF A862 27AC 3FB8 9E3A 27C6 B0E4 +------------------------------------------------------------------+ Michael Andres SUSE LINUX Products GmbH, Development, ma@suse.de GF:Jeff Hawn,Jennifer Guild,Felix Imendörffer, HRB16746(AG Nürnberg) Maxfeldstrasse 5, D-90409 Nuernberg, Germany, ++49 (0)911 - 740 53-0 +------------------------------------------------------------------+ -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org To contact the owner, e-mail: zypp-devel+owner@opensuse.org
* Michael Andres <ma@suse.de> [Dec 13. 2011 09:25]:
See https://bugzilla.novell.com/show_bug.cgi?id=736100
The point is that suse patches indeed conflict with packages shipped by another vendor.
So we need to make the patch dependency information richer to cover such situations. Patches could get a 'vendor' string and only apply to packages with a matching vendor. Then one has three possibilities 1. All packages referenced by the patch have the same vendor as the patch (normal situation) -> patch is valid and should be considered 2. No package referenced by the patch has the same vendor as the patch (all packages from different vendor) -> patch is invalid and must not be considered 3. Some packages referenced by the patch have the same vendor as the patch and some packages don't (vendor mix) -> user must decide Klaus --- SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) Maxfeldstraße 5, 90409 Nürnberg, Germany -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org To contact the owner, e-mail: zypp-devel+owner@opensuse.org
On 12/19/2011 11:27 AM, Klaus Kaempf wrote:
* Michael Andres<ma@suse.de> [Dec 13. 2011 09:25]:
See https://bugzilla.novell.com/show_bug.cgi?id=736100
The point is that suse patches indeed conflict with packages shipped by another vendor.
So we need to make the patch dependency information richer to cover such situations.
Patches could get a 'vendor' string and only apply to packages with a matching vendor.
Then one has three possibilities
1. All packages referenced by the patch have the same vendor as the patch (normal situation) -> patch is valid and should be considered
2. No package referenced by the patch has the same vendor as the patch (all packages from different vendor) -> patch is invalid and must not be considered
3. Some packages referenced by the patch have the same vendor as the patch and some packages don't (vendor mix) -> user must decide
I prefer the solution of vendoring the patch and keep things simple making the patch simply "Not relevant" if any of the affected packages is from a different vendor than the patch. You can't assume the patch will behave correctly (in terms of fixing an issue) if one of the components was replaced. Now, I would be careful in talking about vendor here. For patch vendor I mean adding an attribute vendor to the package list of a patch. The patch itself should be allowed to have a different vendor, in case a 3rd party is assembling patches (eg. SLMS). - patch name: foo vendor: My Company Inc. pkgs: vendor: SUSE pkglist - foo >= 1.1 - foo-devel => 1.1 -- Duncan Mac-Vicar P. - http://www.suse.com/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) Maxfeldstraße 5, 90409 Nürnberg, Germany -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org To contact the owner, e-mail: zypp-devel+owner@opensuse.org
* Duncan Mac-Vicar P. <dmacvicar@suse.de> [Dec 19. 2011 12:13]:
I prefer the solution of vendoring the patch and keep things simple making the patch simply "Not relevant" if any of the affected packages is from a different vendor than the patch. You can't assume the patch will behave correctly (in terms of fixing an issue) if one of the components was replaced.
Agreed. However, I'd still recommend to warn the user if a 'half relevant' patch is detected. One cannot automatically determine if a patch is applicable or not in such a situation. Maybe the fix is in one of the packages of vendorA and the other packages are included due to build/runtime dependencies ? Klaus --- SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) Maxfeldstraße 5, 90409 Nürnberg, Germany -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org To contact the owner, e-mail: zypp-devel+owner@opensuse.org
On Monday 19 December 2011 12:13:15 Duncan Mac-Vicar P. wrote:
On 12/19/2011 11:27 AM, Klaus Kaempf wrote:
I prefer the solution of vendoring the patch and keep things simple making the patch simply "Not relevant" if any of the affected packages is from a different vendor than the patch. You can't assume the patch will behave correctly (in terms of fixing an issue) if one of the components was replaced.
But that's IMO not 'not relevant'. If the system has an affected package installed, the issue addressed by the patch is relevant. Just the solution the patch offers is not (auto-)applicable. I think we should at least try to update 'our' packages. -- cu, Michael Andres +------------------------------------------------------------------+ Key fingerprint = 2DFA 5D73 18B1 E7EF A862 27AC 3FB8 9E3A 27C6 B0E4 +------------------------------------------------------------------+ Michael Andres SUSE LINUX Products GmbH, Development, ma@suse.de GF:Jeff Hawn,Jennifer Guild,Felix Imendörffer, HRB16746(AG Nürnberg) Maxfeldstrasse 5, D-90409 Nuernberg, Germany, ++49 (0)911 - 740 53-0 +------------------------------------------------------------------+ -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org To contact the owner, e-mail: zypp-devel+owner@opensuse.org
On Tuesday 13 December 2011 09:25:33 Michael Andres wrote:
See https://bugzilla.novell.com/show_bug.cgi?id=736100
The point is that suse patches indeed conflict with packages shipped by another vendor.
I just talked with Markus and Ludwig about this. Security team does not see issues if we'd follow this way and restrict patches to process only 'vendor compatible' packages. - so we could add a 'vendor="..."' attribute to the updateinfos package entry - enhance the updateinfo parser to create an appropriate conflict if a vendor is given - enhance libsolv/libzypp to be able to handle this new vendor related rule -- cu, Michael Andres +------------------------------------------------------------------+ Key fingerprint = 2DFA 5D73 18B1 E7EF A862 27AC 3FB8 9E3A 27C6 B0E4 +------------------------------------------------------------------+ Michael Andres SUSE LINUX Products GmbH, Development, ma@suse.de GF:Jeff Hawn,Jennifer Guild,Felix Imendörffer, HRB16746(AG Nürnberg) Maxfeldstrasse 5, D-90409 Nuernberg, Germany, ++49 (0)911 - 740 53-0 +------------------------------------------------------------------+ ' -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org To contact the owner, e-mail: zypp-devel+owner@opensuse.org
participants (3)
-
Duncan Mac-Vicar P. -
Klaus Kaempf -
Michael Andres