search

rpm-software-management / dnf5

Next-generation RPM package management system
Other
232 stars 76 forks source link

Should `dnf distro-sync` use `--best` by default? #934

Open praiskup opened 10 months ago

praiskup commented 10 months ago

I almost started dnf distro-sync --releasever 39 today without fixing a few of dependencies in advance, in theory leading to a broken box.

sudo dnf distro-sync --releasever 39
...
Transaction Summary:
 Installing:       55 packages
 Reinstalling:      2 packages
 Upgrading:      3611 packages
 Replacing:      3666 packages
 Removing:         14 packages
 Downgrading:      40 packages

Total size of inbound packages is 5 GiB. Need to download 5 GiB.
After this operation 528 MiB will be used (install 15 GiB, remove 15 GiB).
Is this ok [y/N]:

From my previous experiences with DNF4, it always stops the transaction if there are some broken dependencies... and here are some of them:

 Problem 2: cannot install both python3-ansible-compat-4.1.1-1.fc38.noarch and python3-ansible-compat-4.1.1-3.fc39.noarch                                                                                                                   
  - package python3-molecule-4.0.4-5.fc38.noarch requires python3.11dist(ansible-compat) >= 2.2, but none of the providers can be installed                                                                                                 
  - cannot install the best update candidate for package python3-ansible-compat-4.1.1-1.fc38.noarch                                                                                                                                         
  - problem with installed package                                                                                                                                                                                                          
 Problem 3: cannot install both python3-click-8.1.3-2.fc38.noarch and python3-click-8.1.3-5.fc39.noarch                                                                                                                                     
  - package python3-pulp-cli-0.16.0-1.fc37.noarch requires (python3.11dist(click) < 9~~ with python3.11dist(click) >= 8), but none of the providers can be installed                                                                        
  - cannot install the best update candidate for package python3-click-8.1.3-2.fc38.noarch                                                                                                                                                  
  - problem with installed package

The thing is that the log is too long, and I almost missed this fact. The correct behavior seems to be with --best:

$ sudo dnf distro-sync --releasever 39 --best
Updating and loading repositories:
Repositories loaded.
Failed to resolve the transaction:
Problem 1: ...
j-mracek commented 10 months ago

I tried few experiments and I think that DNF4 and DNF5 has the same behavior. May be you have a different configuration but default behavior is the same. During testing I discovered that DNF5 shows only the first error message therefore this is something we have to investigate.

@praiskup May I ask you to double check your reproducer

praiskup commented 10 months ago

I did the upgrade already :(, but I don't think I had anything special in etc/dnf/dnf.conf, neither now I have (and best=False is in the default config). And I actually think all the errors were reported somewhere "too far to take a look" up in the standard output (shrugs). So the only problem was that the best=False was in effect, the transaction was calculated seemingly OK, and I was able to hit "yes/enter" and break the system.

j-mracek commented 10 months ago

Ok, I did an experiment - I removed best=false from dnf.conf. Then DNF4 skips broken latest packages, but DNF5 fails with an error. It means DNF4 and DNF5 with distro-sync does not overrides setting in dnf.conf, but DNF5 has stronger default. DNF5 does not have

I would like to see --best as default, but FESCO rejected it time ago. I think it would be interesting to request the change again.

praiskup commented 10 months ago

As a security measure, it would be nice to have best=True at least for the distro-sync command, WDYT?

Reproducer:

$ podman run --rm -ti fedora:38
$ dnf install dnf5-plugins
$ dnf5 copr enable praiskup/break-dnf5-934
$ dnf5 install dummy-pkg
$ dnf5 distro-sync --releasever=39
...
Problem: cannot install both tar-2:1.34-8.fc38.x86_64 and tar-2:1.35-2.fc39.x86_64
  - package dummy-pkg-20231019_0937-1.fc39.x86_64 requires tar < 2:1.35-1.fc39, but none of the providers can be installed
  - cannot install the best update candidate for package tar-2:1.34-8.fc38.x86_64
  - cannot install the best update candidate for package dummy-pkg-20231019_0917-1.fc38.x86_64
...
Total size of inbound packages is 73 MiB. Need to download 73 MiB.
After this operation 7 MiB will be used (install 257 MiB, remove 250 MiB).
Is this ok [y/N]:

Doing the upgrade would basically update all packages but tar, tar would stay on the F38 version which might or might not work, potentially breaking boot or something.