[Freeipa-devel] [PATCH 477] spec file: Add Requires(pre) on selinux-policy

Jan Pazdziora jpazdziora at redhat.com
Wed Aug 26 08:02:33 UTC 2015 

On Tue, Aug 25, 2015 at 03:50:04PM +0300, Alexander Bokovoy wrote:
> On Tue, 25 Aug 2015, Jan Cholasta wrote:
> > On 25.8.2015 14:23, Alexander Bokovoy wrote:
> > > On Tue, 25 Aug 2015, Jan Cholasta wrote:
> > > > +Requires(pre): selinux-policy >= %{selinux_policy_version}
> > > >  Requires: selinux-policy >= %{selinux_policy_version}
> > >
> > > If we have it in Requires(pre), we don't need it in Requires, as
> > > Requires(pre) is a superset of guarantees that Requires gives you.
> >
> > Martin (CCed) told me Requires(pre) does not imply Requires.
>
> See http://rpm.org/api/4.4.2.2/tsort.html (available since 2007):
> ----------------
> Since the only way out of a dependency loop is to snip the loop
> somewhere, rpm uses hints from Requires: dependencies to distinguish
> co-requisite (these are not needed to install, only to use, a package)
> from pre-requisite (these are guaranteed to be installed before the
> package that includes the dependency) relations.

However, this section seems to only apply to loop resolution. Note
that

	http://www.rpm.org/wiki/PackagerDocs/MoreOnDependencies

says about Requires(pre)

	* It ensures that the package providing /usr/sbin/useradd is
	  installed before this package. In presence of dependency
	  loops, scriptlet dependencies are the only way to ensure
	  correct install order.
	* If there are no other dependencies on the package providing
	  /usr/sbin/useradd, that package is permitted to be removed
	  from the system after installation(!) 

	It's a fairly common mistake to replace legacy PreReq
	dependencies with Requires(pre), but this is not the
	same, due to the latter point above! 

So I'd say that Requires(pre) does not imply Requires and if we only
do Requires(pre): selinux-policy >= %{selinux_policy_version}, after
the installation, anybody can downgrade the selinux-policy package.
Heck, even in that ipa-server upgrading transaction, there could be
a selinux-policy downgrade operation, which would leave the newer
version for ipa-server's pre but install older version of
selinux-policy after it's done with ipa-server.

Yes, it's just a theoretical situation but we should not shortcut
Requires with Requires(pre), it might teach people reading the .spec
files bad habits.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

More information about the Freeipa-devel mailing list