diff --git a/SOURCES/0004-advisory-upgrade-filter-out-advPkgs-with-different-a.patch b/SOURCES/0004-advisory-upgrade-filter-out-advPkgs-with-different-a.patch new file mode 100644 index 0000000..70705d9 --- /dev/null +++ b/SOURCES/0004-advisory-upgrade-filter-out-advPkgs-with-different-a.patch @@ -0,0 +1,100 @@ +From 35a3cebb3b23b3ba9001e3d4f9f0ef5e59c499f0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ale=C5=A1=20Mat=C4=9Bj?= +Date: Mon, 30 May 2022 08:59:41 +0200 +Subject: [PATCH 4/5] advisory upgrade: filter out advPkgs with different arch + +This prevents a situation in security upgrades where libsolv cannot +upgrade dependent pkgs because we ask for an upgrade of different arch: + +We can get the following testcase if libdnf has filtered out +json-c-2-2.el8.x86_64@rhel-8-for-x86_64-baseos-rpms +(because there is an advisory for already installed json-c-1-1.el8.x86_64) but +json-c-2-2.el8.i686@rhel-8-for-x86_64-baseos-rpms is not filtered out because +it has different architecture. The resulting transaction doesn't work. + +``` +repo @System -99.-1000 testtags +#>=Pkg: bind-libs-lite 1 1.el8 x86_64 +#>=Pkg: json-c 1 1.el8 x86_64 + +repo rhel-8-for-x86_64-baseos-rpms -99.-1000 testtags +#>=Pkg: json-c 2 2.el8 x86_64 +#>=Prv: libjson-c.so.4()(64bit) +#> +#>=Pkg: json-c 2 2.el8 i686 +#>=Prv: libjson-c.so.4() +#> +#>=Pkg: bind-libs-lite 2 2.el8 x86_64 +#>=Req: libjson-c.so.4()(64bit) +system x86_64 rpm @System +job update oneof json-c-1-1.el8.x86_64@@System json-c-2-2.el8.i686@rhel-8-for-x86_64-baseos-rpms bind-libs-lite-2-2.el8.x86_64@rhel-8-for-x86_64-baseos-rpms [forcebest,targeted,setevr,setarch] +result transaction,problems +#>problem f06d81a4 info package bind-libs-lite-2-2.el8.x86_64 requires libjson-c.so.4()(64bit), but none of the providers can be installed +#>problem f06d81a4 solution 96f9031b allow bind-libs-lite-1-1.el8.x86_64@@System +#>problem f06d81a4 solution c8daf94f allow json-c-2-2.el8.x86_64@rhel-8-for-x86_64-baseos-rpms +#>upgrade bind-libs-lite-1-1.el8.x86_64@@System bind-libs-lite-2-2.el8.x86_64@rhel-8-for-x86_64-baseos-rpms +#>upgrade json-c-1-1.el8.x86_64@@System json-c-2-2.el8.x86_64@rhel-8-for-x86_64-baseos-rpms``` +``` + += changelog = +msg: Filter out advisory pkgs with different arch during advisory upgrade, fixes possible problems in dependency resulution. +type: bugfix +resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2088149 +--- + libdnf/sack/query.cpp | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +diff --git a/libdnf/sack/query.cpp b/libdnf/sack/query.cpp +index ac2736b5..03d39659 100644 +--- a/libdnf/sack/query.cpp ++++ b/libdnf/sack/query.cpp +@@ -1877,12 +1877,6 @@ Query::Impl::filterAdvisory(const Filter & f, Map *m, int keyname) + std::vector candidates; + std::vector installed_solvables; + +- Id id = -1; +- while ((id = resultPset->next(id)) != -1) { +- candidates.push_back(pool_id2solvable(pool, id)); +- } +- NameArchEVRComparator cmp_key(pool); +- + if (cmp_type & HY_UPGRADE) { + Query installed(sack, ExcludeFlags::IGNORE_EXCLUDES); + installed.installed(); +@@ -1893,6 +1887,18 @@ Query::Impl::filterAdvisory(const Filter & f, Map *m, int keyname) + installed_solvables.push_back(pool_id2solvable(pool, installed_id)); + } + std::sort(installed_solvables.begin(), installed_solvables.end(), NameArchSolvableComparator); ++ Id id = -1; ++ while ((id = resultPset->next(id)) != -1) { ++ Solvable * s = pool_id2solvable(pool, id); ++ // When doing HY_UPGRADE consider only candidate pkgs that have matching Name and Arch ++ // with some already installed pkg (in other words: some other version of the pkg is already installed). ++ // Otherwise a pkg with different Arch than installed can end up in upgrade set which is wrong. ++ // It can result in dependency issues, reported as: RhBug:2088149. ++ auto low = std::lower_bound(installed_solvables.begin(), installed_solvables.end(), s, NameArchSolvableComparator); ++ if (low != installed_solvables.end() && s->name == (*low)->name && s->arch == (*low)->arch) { ++ candidates.push_back(s); ++ } ++ } + + // Apply security filters only to packages with lower priority - to unify behaviour upgrade + // and upgrade-minimal +@@ -1915,7 +1921,14 @@ Query::Impl::filterAdvisory(const Filter & f, Map *m, int keyname) + } + } + std::swap(candidates, priority_candidates); ++ } else { ++ Id id = -1; ++ while ((id = resultPset->next(id)) != -1) { ++ candidates.push_back(pool_id2solvable(pool, id)); ++ } + } ++ ++ NameArchEVRComparator cmp_key(pool); + std::sort(candidates.begin(), candidates.end(), cmp_key); + for (auto & advisoryPkg : pkgs) { + if (cmp_type & HY_UPGRADE) { +-- +2.37.1 + diff --git a/SOURCES/0005-Add-obsoletes-to-filtering-for-advisory-candidates.patch b/SOURCES/0005-Add-obsoletes-to-filtering-for-advisory-candidates.patch new file mode 100644 index 0000000..467ccb9 --- /dev/null +++ b/SOURCES/0005-Add-obsoletes-to-filtering-for-advisory-candidates.patch @@ -0,0 +1,71 @@ +From 83d6c019360823504fe27284fdf4804943bb2033 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ale=C5=A1=20Mat=C4=9Bj?= +Date: Tue, 5 Jul 2022 09:02:22 +0200 +Subject: [PATCH 5/5] Add obsoletes to filtering for advisory candidates + +Patch https://github.com/rpm-software-management/libdnf/pull/1526 +introduced a regression where we no longer do a security upgrade if a +package A is installed and package B obsoletes A and B is available in two +versions while there is an advisory for the second version. + +Test: https://github.com/rpm-software-management/ci-dnf-stack/pull/1130 +--- + libdnf/sack/query.cpp | 32 ++++++++++++++++++++++++++++---- + 1 file changed, 28 insertions(+), 4 deletions(-) + +diff --git a/libdnf/sack/query.cpp b/libdnf/sack/query.cpp +index 03d39659..5355f9f7 100644 +--- a/libdnf/sack/query.cpp ++++ b/libdnf/sack/query.cpp +@@ -1878,6 +1878,13 @@ Query::Impl::filterAdvisory(const Filter & f, Map *m, int keyname) + std::vector installed_solvables; + + if (cmp_type & HY_UPGRADE) { ++ // When doing HY_UPGRADE consider only candidate pkgs that have matching Name and Arch with: ++ // * some already installed pkg (in other words: some other version of the pkg is already installed) ++ // or ++ // * with pkg that obsoletes some already installed (or to be installed in this transaction) pkg ++ // Otherwise a pkg with different Arch than installed can end up in upgrade set which is wrong. ++ // It can result in dependency issues, reported as: RhBug:2088149. ++ + Query installed(sack, ExcludeFlags::IGNORE_EXCLUDES); + installed.installed(); + installed.addFilter(HY_PKG_LATEST_PER_ARCH, HY_EQ, 1); +@@ -1887,13 +1894,30 @@ Query::Impl::filterAdvisory(const Filter & f, Map *m, int keyname) + installed_solvables.push_back(pool_id2solvable(pool, installed_id)); + } + std::sort(installed_solvables.begin(), installed_solvables.end(), NameArchSolvableComparator); ++ ++ Query obsoletes(sack, ExcludeFlags::IGNORE_EXCLUDES); ++ obsoletes.addFilter(HY_PKG, HY_EQ, resultPset); ++ obsoletes.available(); ++ ++ Query possibly_obsoleted(sack, ExcludeFlags::IGNORE_EXCLUDES); ++ possibly_obsoleted.addFilter(HY_PKG, HY_EQ, resultPset); ++ possibly_obsoleted.addFilter(HY_PKG_UPGRADES, HY_EQ, 1); ++ possibly_obsoleted.queryUnion(installed); ++ possibly_obsoleted.apply(); ++ ++ obsoletes.addFilter(HY_PKG_OBSOLETES, HY_EQ, possibly_obsoleted.runSet()); ++ obsoletes.apply(); ++ Id obsoleted_id = -1; ++ // Add to candidates resultPset pkgs that obsolete some installed (or to be installed in this transaction) pkg ++ while ((obsoleted_id = obsoletes.pImpl->result->next(obsoleted_id)) != -1) { ++ Solvable * s = pool_id2solvable(pool, obsoleted_id); ++ candidates.push_back(s); ++ } ++ + Id id = -1; ++ // Add to candidates resultPset pkgs that match name and arch with some already installed pkg + while ((id = resultPset->next(id)) != -1) { + Solvable * s = pool_id2solvable(pool, id); +- // When doing HY_UPGRADE consider only candidate pkgs that have matching Name and Arch +- // with some already installed pkg (in other words: some other version of the pkg is already installed). +- // Otherwise a pkg with different Arch than installed can end up in upgrade set which is wrong. +- // It can result in dependency issues, reported as: RhBug:2088149. + auto low = std::lower_bound(installed_solvables.begin(), installed_solvables.end(), s, NameArchSolvableComparator); + if (low != installed_solvables.end() && s->name == (*low)->name && s->arch == (*low)->arch) { + candidates.push_back(s); +-- +2.37.1 + diff --git a/SPECS/libdnf.spec b/SPECS/libdnf.spec index dbb0e58..b7bc0c8 100644 --- a/SPECS/libdnf.spec +++ b/SPECS/libdnf.spec @@ -56,7 +56,7 @@ Name: libdnf Version: %{libdnf_major_version}.%{libdnf_minor_version}.%{libdnf_micro_version} -Release: 5%{?dist} +Release: 5.1%{?dist} Summary: Library providing simplified C and Python API to libsolv License: LGPLv2+ URL: https://github.com/rpm-software-management/libdnf @@ -64,6 +64,9 @@ Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz Patch1: 0001-Use-rpmdbCookie-from-librpm-remove-hawkey.Sack._rpmd.patch Patch2: 0002-Skip-rich-deps-for-autodetection-of-unmet-dependencies-RhBug2033130-2048394.patch Patch3: 0003-Update-translations-RhBug-2017349.patch +Patch4: 0004-advisory-upgrade-filter-out-advPkgs-with-different-a.patch +Patch5: 0005-Add-obsoletes-to-filtering-for-advisory-candidates.patch + BuildRequires: cmake BuildRequires: gcc @@ -307,6 +310,10 @@ popd %endif %changelog +* Wed Aug 17 2022 Lukas Hrazky - 0.65.0-5.1 +- advisory upgrade: filter out advPkgs with different arch +- Add obsoletes to filtering for advisory candidates + * Mon Mar 21 2022 Marek Blaha - 0.65.0-5 - Update translations