[Freeipa-devel] [PATCH 477] spec file: Add Requires(pre) on selinux-policy
Alexander Bokovoy
abokovoy at redhat.com
Wed Aug 26 09:01:20 UTC 2015
On Wed, 26 Aug 2015, Jan Pazdziora wrote:
>On Tue, Aug 25, 2015 at 03:50:04PM +0300, Alexander Bokovoy wrote:
>> On Tue, 25 Aug 2015, Jan Cholasta wrote:
>> > On 25.8.2015 14:23, Alexander Bokovoy wrote:
>> > > On Tue, 25 Aug 2015, Jan Cholasta wrote:
>> > > > +Requires(pre): selinux-policy >= %{selinux_policy_version}
>> > > > Requires: selinux-policy >= %{selinux_policy_version}
>> > >
>> > > If we have it in Requires(pre), we don't need it in Requires, as
>> > > Requires(pre) is a superset of guarantees that Requires gives you.
>> >
>> > Martin (CCed) told me Requires(pre) does not imply Requires.
>>
>> See http://rpm.org/api/4.4.2.2/tsort.html (available since 2007):
>> ----------------
>> Since the only way out of a dependency loop is to snip the loop
>> somewhere, rpm uses hints from Requires: dependencies to distinguish
>> co-requisite (these are not needed to install, only to use, a package)
>> from pre-requisite (these are guaranteed to be installed before the
>> package that includes the dependency) relations.
>
>However, this section seems to only apply to loop resolution. Note
>that
>
> http://www.rpm.org/wiki/PackagerDocs/MoreOnDependencies
>
>says about Requires(pre)
>
> * It ensures that the package providing /usr/sbin/useradd is
> installed before this package. In presence of dependency
> loops, scriptlet dependencies are the only way to ensure
> correct install order.
> * If there are no other dependencies on the package providing
> /usr/sbin/useradd, that package is permitted to be removed
> from the system after installation(!)
>
> It's a fairly common mistake to replace legacy PreReq
> dependencies with Requires(pre), but this is not the
> same, due to the latter point above!
>
>So I'd say that Requires(pre) does not imply Requires and if we only
>do Requires(pre): selinux-policy >= %{selinux_policy_version}, after
>the installation, anybody can downgrade the selinux-policy package.
>Heck, even in that ipa-server upgrading transaction, there could be
>a selinux-policy downgrade operation, which would leave the newer
>version for ipa-server's pre but install older version of
>selinux-policy after it's done with ipa-server.
>
>Yes, it's just a theoretical situation but we should not shortcut
>Requires with Requires(pre), it might teach people reading the .spec
>files bad habits.
Well, in that case having both Requires and Requires(post) is a
necessity, it seems.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list