[Freeipa-devel] [PATCH 0052] Create server-dns sub-package

Wed Jul 15 17:39:04 UTC 2015

----- Original Message -----
> From: "Petr Spacek" <pspacek at redhat.com>
> To: "Jan Cholasta" <jcholast at redhat.com>, freeipa-devel at redhat.com, "Alexander Bokovoy" <abokovoy at redhat.com>
> Cc: "Simo Sorce" <simo at redhat.com>
> Sent: Tuesday, July 14, 2015 10:33:41 AM
> Subject: Re: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package
> 
> On 14.7.2015 16:29, Jan Cholasta wrote:
> > Dne 14.7.2015 v 14:33 Petr Spacek napsal(a):
> >> On 2.7.2015 09:56, Petr Spacek wrote:
> >>> On 2.7.2015 09:36, Alexander Bokovoy wrote:
> >>>> On Thu, 02 Jul 2015, Jan Cholasta wrote:
> >>>>>>>>> Can this be done without adding server-core?
> >>>>>>>> I'm not aware of such method (except of adding all DNS dependencies
> >>>>>>>> as
> >>>>>>>> Requires straight into freeipa-server package).
> >>>>>>>>
> >>>>>>>>> Because it's not server core,
> >>>>>>>>> it's the whole thing! Or maybe just rename it to server-common?
> >>>>>>>>
> >>>>>>>> I'm fine with 'common'. Ticket 4058 calls for sub-package for CA too
> >>>>>>>> so my
> >>>>>>>> idea was to create 'core' package which will be gradually reduced
> >>>>>>>> more and more.
> >>>>>>>
> >>>>>>> Well, I don't like the fact that in order to install IPA server
> >>>>>>> without DNS you have to install freeipa-server-core instead of just
> >>>>>>> freeipa-server. Fedora packaging guidelines [1] state that the
> >>>>>>> metapackage should be named freeipa-server-compat, so I guess
> >>>>>>> renaming
> >>>>>>> freeipa-server to freeipa-server-compat and freeipa-server-core to
> >>>>>>> freeipa-server is good enough.
> >>>>>> I think you are misunderstanding what the guidelines say. -compat
> >>>>>> subpackage is something that only contains Requires: and Obsoletes:,
> >>>>>> to
> >>>>>> help to pull the right packages. It is not supposed to be a
> >>>>>> full-featured package with content.
> >>>>>
> >>>>> With Petr's patch, freeipa-server is exactly that - a metapackage with
> >>>>> requires and obsoletes only - hence my suggestion to rename it
> >>>>> according to
> >>>>> the guidelines.
> >>>> That's not good.
> >>>>
> >>>>>> I think we are good enough with freeipa-server-dns. We have the same
> >>>>>> situation with freeipa-server-trust-ad -- it is not required by the
> >>>>>> main
> >>>>>> package and pulls in Samba-related bits. We also don't have any
> >>>>>> -compat
> >>>>>> or metapackage for it.
> >>>>>
> >>>>> freeipa-server-dns is fine, what is IMO not fine is that it *is*
> >>>>> required by
> >>>>> the main freeipa-server package, *unlike* freeipa-server-trust-ad.
> >>>>>
> >>>>> We don't have a compat metapackage for freeipa-server-trust-ad, because
> >>>>> there are no upgrade issues with it, which is what Petr is trying to
> >>>>> solve
> >>>>> with his patch.
> >>>> So, the issue is that for installed bind+bind-dyndb-ldap combination we
> >>>> need to switch to bind-pkcs11+bind-dyndb-ldap. Maybe instead of
> >>>> modifying main freeipa package we could modify bind-dyndb-ldap package
> >>>> to require bind-pkcs11 and corresponding bits of freeipa packages?
> >>>
> >>> Unfortunately, no.
> >>> - bind-dyndb-ldap itself is used & supported even without FreeIPA.
> >>> - bind-pkcs11 depends on properly configured SoftHSM (or other PKCS#11
> >>> provider)
> >>> => upgrade could break non-FreeIPA installations.
> >>>
> >>> I'm attempting to rework the patch now, stay tuned.
> >>
> >> Apparently this thread was abandoned during my PTO so I'm sending new
> >> patch
> >> here. It includes the -compat package and works with YUM and DNF.
> > 
> > I don't like that freeipa-server got renamed to freeipa-server-core, but I
> > won't push against it if Alexander and others (CCing Simo) are OK with it.
> 
> For the record, I was not able to make it work without the rename.

My opinion is that if we run dnf install freeipa-server, then we need to get freeipa server packages.
If this is what happens I am ok with patches, otherwise I am not.

Simo.