import dnf-4.7.0-11.el8

SOURCES/0024-doc-Describe-how-gpg-keys-are-stored-for-repo_ggpche.patch

@@ -0,0 +1,31 @@
+From 00f3016ec0d79186f08c2f0ebf450bdc3dab1311 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ale=C5=A1=20Mat=C4=9Bj?= <amatej@redhat.com>
+Date: Thu, 23 Jun 2022 09:33:45 +0200
+Subject: [PATCH] doc: Describe how gpg keys are stored for `repo_ggpcheck`
+ (RhBug:2020678)
+
+https://bugzilla.redhat.com/show_bug.cgi?id=2020678
+---
+ doc/conf_ref.rst | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/doc/conf_ref.rst b/doc/conf_ref.rst
+index 885a4560..decb49ff 100644
+--- a/doc/conf_ref.rst
++++ b/doc/conf_ref.rst
+@@ -906,6 +906,12 @@ configuration.
+     :ref:`boolean <boolean-label>`
+ 
+     Whether to perform GPG signature check on this repository's metadata. The default is False.
++    Note that GPG keys for this check are stored separately from GPG keys used in package signature
++    verification. Furthermore, they are also stored separately for each repository.
++
++    This means that dnf may ask to import the same key multiple times. For example, when a key was
++    already imported for package signature verification and this option is turned on, it may be needed
++    to import it again for the repository.
+ 
+ ``retries``
+     :ref:`integer <integer-label>`
+-- 
+2.36.1
+

SOURCES/0025-Add-only-relevant-pkgs-to-upgrade-transaction-RhBug-.patch

@@ -0,0 +1,64 @@
+From 25bc75cbe63289864c09ab25144ee4af232bd8f4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ale=C5=A1=20Mat=C4=9Bj?= <amatej@redhat.com>
+Date: Mon, 4 Jul 2022 09:43:25 +0200
+Subject: [PATCH] Add only relevant pkgs to upgrade transaction (RhBug:2097757)
+
+https://bugzilla.redhat.com/show_bug.cgi?id=2097757
+
+Without this patch dnf can create the following transaction during dnf upgrade --security when there is an advisory for B-2-2:
+
+```
+repo @System 0 testtags <inline>
+#>=Pkg: A 1 1 x86_64
+#>=Pkg: B 1 1 x86_64
+#>=Req: A = 1-1
+
+repo available 0 testtags <inline>
+#>=Pkg: A 2 2 x86_64
+#>=Pkg: B 2 2 x86_64
+#>=Req: A = 2-2
+system x86_64 rpm @System
+job update oneof A-1-1.x86_64@@System B-2-2.x86_64@available [targeted,setevr,setarch]
+result transaction,problems
+```
+
+Problem is that without forcebest nothing gets upgraded despite the available advisory and --security switch.
+
+This can also be seen in CI test case: rpm-software-management/ci-dnf-stack#1130
+---
+ dnf/base.py | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/dnf/base.py b/dnf/base.py
+index 852fcdd8..82466831 100644
+--- a/dnf/base.py
++++ b/dnf/base.py
+@@ -2135,7 +2135,24 @@ class Base(object):
+             query.filterm(reponame=reponame)
+         query = self._merge_update_filters(query, pkg_spec=pkg_spec, upgrade=True)
+         if query:
+-            query = query.union(installed_query.latest())
++            # Given that we use libsolv's targeted transactions, we need to ensure that the transaction contains both
++            # the new targeted version and also the current installed version (for the upgraded package). This is
++            # because if it only contained the new version, libsolv would decide to reinstall the package even if it
++            # had just a different buildtime or vendor but the same version
++            # (https://github.com/openSUSE/libsolv/issues/287)
++            #   - In general, the query already contains both the new and installed versions but not always.
++            #     If repository-packages command is used, the installed packages are filtered out because they are from
++            #     the @system repo. We need to add them back in.
++            #   - However we need to add installed versions of just the packages that are being upgraded. We don't want
++            #     to add all installed packages because it could increase the number of solutions for the transaction
++            #     (especially without --best) and since libsolv prefers the smallest possible upgrade it could result
++            #     in no upgrade even if there is one available. This is a problem in general but its critical with
++            #     --security transactions (https://bugzilla.redhat.com/show_bug.cgi?id=2097757)
++            #   - We want to add only the latest versions of installed packages, this is specifically for installonly
++            #     packages. Otherwise if for example kernel-1 and kernel-3 were installed and present in the
++            #     transaction libsolv could decide to install kernel-2 because it is an upgrade for kernel-1 even
++            #     though we don't want it because there already is a newer version present.
++            query = query.union(installed_query.latest().filter(name=[pkg.name for pkg in query]))
+             sltr = dnf.selector.Selector(self.sack)
+             sltr.set(pkg=query)
+             self._goal.upgrade(select=sltr)
+-- 
+2.36.1
+

SOURCES/0026-Use-installed_all-because-installed_query-is-filtere.patch

@@ -0,0 +1,37 @@
+From fea1f456d3d5f3015ebcff4008959916bdaaf6d6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ale=C5=A1=20Mat=C4=9Bj?= <amatej@redhat.com>
+Date: Mon, 4 Jul 2022 09:46:29 +0200
+Subject: [PATCH] Use `installed_all` because `installed_query` is filtered
+ user input
+
+`installed_query` could be missing packages. If we specify we want to
+upgrade a specific nevra that is not yet installed, then `installed_query`
+is empty because it is based on user input, but there could be other
+versions of the pkg installed.
+
+Eg: if kernel-1 and kernel-3 are installed and we specify we want to
+upgrade kernel-2, nothing should be done because we already have higher
+version, but now `installed_query` would be empty and kernel-2 would be
+installed.
+
+Therefore, we need to use `installed_all`.
+---
+ dnf/base.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dnf/base.py b/dnf/base.py
+index 82466831..e606d9fa 100644
+--- a/dnf/base.py
++++ b/dnf/base.py
+@@ -2152,7 +2152,7 @@ class Base(object):
+             #     packages. Otherwise if for example kernel-1 and kernel-3 were installed and present in the
+             #     transaction libsolv could decide to install kernel-2 because it is an upgrade for kernel-1 even
+             #     though we don't want it because there already is a newer version present.
+-            query = query.union(installed_query.latest().filter(name=[pkg.name for pkg in query]))
++            query = query.union(installed_all.latest().filter(name=[pkg.name for pkg in query]))
+             sltr = dnf.selector.Selector(self.sack)
+             sltr.set(pkg=query)
+             self._goal.upgrade(select=sltr)
+-- 
+2.36.1
+

SPECS/dnf.spec

@@ -66,7 +66,7 @@ It supports RPMs, modules and comps groups & environments.
 
 Name:           dnf
 Version:        4.7.0
-Release:        10%{?dist}
+Release:        11%{?dist}
 Summary:        %{pkg_summary}
 # For a breakdown of the licensing, see PACKAGE-LICENSING
 License:        GPLv2+
@@ -99,6 +99,9 @@ Patch0020:      0020-cli-commands-history-Fix-history-undo-on-a-Reason-Ch.patch
 Patch0021:      0021-Fix-remove-when-no-repos-are-enabled-RhBz-2064341.patch
 Patch0022:      0022-doc-Improve-proxy-configuration-option-documentation.patch
 Patch0023:      0023-Base.reset-plug-temporary-leak-of-libsolv-s-page-fil.patch
+Patch0024:      0024-doc-Describe-how-gpg-keys-are-stored-for-repo_ggpche.patch
+Patch0025:      0025-Add-only-relevant-pkgs-to-upgrade-transaction-RhBug-.patch
+Patch0026:      0026-Use-installed_all-because-installed_query-is-filtere.patch
 
 BuildArch:      noarch
 BuildRequires:  cmake
@@ -398,6 +401,10 @@ popd
 %{python3_sitelib}/%{name}/automatic/
 
 %changelog
+* Tue Jul 19 2022 Lukas Hrazky <lhrazky@redhat.com> - 4.7.0-11
+- [doc] Describe how gpg keys are stored for `repo_ggpcheck`
+- Add only relevant pkgs to upgrade transaction (RhBug:2097757)
+
 * Tue May 24 2022 Richard W.M. Jones <rjones@redhat.com> - 4.7.0-10
 - Backport fix for leaks of libsolv's page file descriptors in Base object
   resolves: rhbz#2087734