Bug 367057

Summary: update installing unwanted packages
Product: [openSUSE] openSUSE 11.0 Reporter: Don Hughes <support>
Component: YaST2Assignee: Jiří Suchomel <jsuchome>
Status: RESOLVED FIXED QA Contact: Jiri Srain <jsrain>
Severity: Normal    
Priority: P5 - None CC: chrubis, dmacvicar, kkaempf, lslezak, ma, schubi
Version: Beta 1   
Target Milestone: Beta 2   
Hardware: i586   
OS: openSUSE 10.3   
Whiteboard:
Found By: Customer Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Don Hughes 2008-03-04 18:35:20 UTC 
In order to use the most recent security updates on several of our more critical applications (such as Apache) we install them from source.  Starting several SuSE releases ago software management would INSIST on installing the 'missing' applications.  We ended up creating dummy rpms to keep the update engine happy.  Occationally the dependencies would change and yast would again try to install the package, but as long as we checked the 'installation summary' before accepting any changes we could catch the errors and update our dummy rpm to reflect the new requirments before any damage was done.  It was a pain, but manageable.

However, the update fonction in 10.3 runs a hidden and unwanted 'system verify' AFTER you have accepted the updates and makes changes without giving you an opportunity to approve them.  Several months ago the system 'fixted' two systems by installing a second (and unnecessary and unwanted) copy of Apache.  Fortunately, it only took a couple of hours to un-install the unwanted copy and repair the configuration.

Last week when applying a security patch to the system that we are using as a firewall/router and on which we have removed everything but the essential applications, the update program - after indicating that it was only going to apply the desired patch - ran the system verify and decided that the only way to fix the missing dependencies was to DELETE 85 packages!!! Before we could cancel the process (bv the way the 'cancel' button - doesn't) we had a totally un-bootable systems and were off the air for over a day while we rebuilt it.

1) Online Update must not make any unconfirmed chages.
2) In addition to 'taboo' there should be an option to indicate that the package has been installed by another means and that all of the defined features will be provided.
3) There should be an easy to use way to setup a profile for the settings of the automatic dependency check and taboo applications that caries over from session to session and between the command line update and management functions
Comment 9 Stefan Hundhammer 2008-04-17 16:29:48 UTC 
Don, apart from the problem of there being an undesired solver run, maybe you could make your life easier using "checkinstall" to make real RPMs from your freshly compiled Apache (and whatever other packages you build yourself) and then create a real repository with those RPMs? That should integrate smoothly with the online update.
Comment 10 Don Hughes 2008-04-17 22:25:30 UTC 
Stefan,

Thanks,

I do.  In general, in order to increase performance and reduce attack vectors, I only compile with the very minimum options necessary to run the applications in my environment.  SuSE tends to compile with the maximum reasonable set for the widest compatibility.

Previous verify runs ran cleanly, but this update modified one of the dependent packages to require a new feature that was available in the SuSE apache, but not in mine.  But instead of giving a message so that I could stop the update, investigate, recompile my version etc;  it just 'updated' my version to the SuSE version.

With the second example, the problem was not that I was using packages installed outside of the RPM system, but that I had uninstalled a number of packages that were install with the 'minimal system install', but that I did not want on my system.  The update logic decided that since I was missing part of the 'package group' and because there were several conflicts, that it would just go ahead and resolve the conflicts by deleting the rest of the group -- which was, basically, the entire operating system.

For example, I uninstalled required libraries that, although required for some applications, were for features that I will never use, and, in fact, do not want to be used.  The only risk should be a potential program crash if that function somehow managed to get called, not that the update logic would unilaterly uninstall the applicaton.
Comment 15 Stanislav Visnovsky 2008-04-21 11:44:05 UTC 
I suggest to ask user, inform about the situation with the pacakgemanager-related updates. If user decides to continue, just apply the result from the selector, otherwise go back to the selector asking user to review the problem.
Comment 16 Jiří Suchomel 2008-04-21 13:11:38 UTC 
OK, now, please help me someone (adding Martina) with the popup text informing user about the situation. First proposal:

"There are patches for package management available requiring restart of YaST.
They should be installed in the first place and all other patches after the rest
art.

You selected some other patches to be installed now.
                                                                                Continue with installing user selection?"

[Continue][Cancel]

Clicking Cancel opens package selector again. Hey, maybe the whole check and the warning should go inside the package selector, shouldn't it?
Comment 17 Don Hughes 2008-04-21 13:43:14 UTC 
The wording should not suggest that 'I' selected the packages but rather that the system automatically selected them.

There is already similar wording when you are using the software management function instead of the online update:

Automatic Changes
In addition to your manual selections, the following packages have been changed to resolve dependencies:

If I do not like the automatic changes, I can taboo them.
Comment 18 Jiří Suchomel 2008-04-21 19:49:30 UTC 
(In reply to comment #17 from Don Hughes)
> The wording should not suggest that 'I' selected the packages but rather that
> the system automatically selected them.

No, this is intentional. Such popup will be shown exactly when _user_ selected something different than proposed.

I know this is different to your original problem, it is actually differet part of the process. There were several private comments until now where we were discussing this.
Comment 19 Jiří Suchomel 2008-04-24 11:17:20 UTC 
Done in yast2-online-update-2.16.12.