Mailinglist Archive: opensuse-features (40 mails)

< Previous Next >
[openFATE 313088] allow patches that uninstall packages
Feature changed by: Michael Andres (mlandres)
Feature #313088, revision 14
Title: allow patches that uninstall packages

openSUSE Distribution: Unconfirmed
Requester: Important

Requested by: Ludwig Nussel (lnussel)
Partner organization:

suppose security flaws are discovered in some leaf package that we
cannot fix for some reason. We need a way to tell users of that package
that they better uninstall the affected package. Previously we would
have "solved" this by releasing a new version of the package without
files. This is a rather ugly hack though. What we need is a special
patch that when selected uninstalls the listed packages without causing
e.g. packagekit to choke.

#1: Michael Schröder (mlschroe) (2011-12-19 15:52:44)
As often, the libzypp/solver part is easy. Please propose how you want
to encode such an uninstall request into updateinfo.xml. Also please
ask the Fedora guys about their opinion, as we share the

#2: Ludwig Nussel (lnussel) (2011-12-19 16:03:37) (reply to #1)
please go ahead, you're the expert

#3: Michael Schröder (mlschroe) (2011-12-19 16:07:23) (reply to #2)
But I'm not the Architect(TM)

#4: Karl Cheng (qantas94heavy) (2016-11-18 04:04:22)
I wonder if you think this is still right today, Ludwig... ;)

#5: Ludwig Nussel (lnussel) (2016-12-05 15:02:54) (reply to #4)
Yes I think so. It's also interesting for e.g. openSUSE:Backports

#6: Sławomir Lach (lachu) (2016-12-06 17:12:37)
It is good idea to also disallow to install package with security

#8: Kai Dupke (kdupke) (2017-02-17 11:54:04) (reply to #6)
Users might see this as too much managing them. And there might be
reasons you want to have exactly this specific version, even it has a
security flaw. Of course, having someone to acknowledge on this could
be worth.

#9: Jiri Srain (jsrain) (2017-04-10 08:04:07Z)
I wonder if we need any handling in updateinfo at all. Can the patch
itself just conflict with package we want to remove?
Thorsten, you may want to have a look as an architect...

+ #10: Michael Andres (mlandres) (2017-04-19 08:40:22) (reply to #9)
+ Inside libsolv/libzypp a patch is an ordinary object just like a
+ package. A patch is created from an entry in updateinfo.xml by
+ translating the package list into a set of conflict dependencies. This
+ way the patch will conflict with installed versions less than the ones
+ mentioned in the updateinfo.xml.
+ A patch with actual conflicts, is called broken or needed. If such a
+ patch is selected, dependency resolution can resolve such conflict by
+ either updating the package or by removing it.
+ The common resolution to update the package is just because the update-
+ repo also provides the new rpm packages. If we'd mention a package in
+ the updateinfo.xml, but do not ship a new rpm package as well,
+ dependency resolution will (interactively) suggest to remove the the
+ package. For the sake of being more explicit or if we want to non-
+ interactively remove packages, we need to indicate that 'a package is
+ intentionally not shipped' (i.e. to be deleted) in the upadetinfo.xml.
+ Michael Schröder is probably more familiar with the upadetinfo.xml
+ format and he also 'owns' the parser; maybe he has some suggestion how
+ to encode this. Maybe just '<package>' entries without src/filename
+ attributes or an explicit '<delpkglist>'? Edit (#) Reply (#)

openSUSE Feature:

< Previous Next >
This Thread