diff --git a/0024-doc-Describe-how-gpg-keys-are-stored-for-repo_ggpche.patch b/0024-doc-Describe-how-gpg-keys-are-stored-for-repo_ggpche.patch new file mode 100644 index 0000000..9e8acfd --- /dev/null +++ b/0024-doc-Describe-how-gpg-keys-are-stored-for-repo_ggpche.patch @@ -0,0 +1,31 @@ +From 00f3016ec0d79186f08c2f0ebf450bdc3dab1311 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ale=C5=A1=20Mat=C4=9Bj?= +Date: Thu, 23 Jun 2022 09:33:45 +0200 +Subject: [PATCH] doc: Describe how gpg keys are stored for `repo_ggpcheck` + (RhBug:2020678) + +https://bugzilla.redhat.com/show_bug.cgi?id=2020678 +--- + doc/conf_ref.rst | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/doc/conf_ref.rst b/doc/conf_ref.rst +index 885a4560..decb49ff 100644 +--- a/doc/conf_ref.rst ++++ b/doc/conf_ref.rst +@@ -906,6 +906,12 @@ configuration. + :ref:`boolean ` + + Whether to perform GPG signature check on this repository's metadata. The default is False. ++ Note that GPG keys for this check are stored separately from GPG keys used in package signature ++ verification. Furthermore, they are also stored separately for each repository. ++ ++ This means that dnf may ask to import the same key multiple times. For example, when a key was ++ already imported for package signature verification and this option is turned on, it may be needed ++ to import it again for the repository. + + ``retries`` + :ref:`integer ` +-- +2.36.1 + diff --git a/0025-Add-only-relevant-pkgs-to-upgrade-transaction-RhBug-.patch b/0025-Add-only-relevant-pkgs-to-upgrade-transaction-RhBug-.patch new file mode 100644 index 0000000..df92a9e --- /dev/null +++ b/0025-Add-only-relevant-pkgs-to-upgrade-transaction-RhBug-.patch @@ -0,0 +1,64 @@ +From 25bc75cbe63289864c09ab25144ee4af232bd8f4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ale=C5=A1=20Mat=C4=9Bj?= +Date: Mon, 4 Jul 2022 09:43:25 +0200 +Subject: [PATCH] Add only relevant pkgs to upgrade transaction (RhBug:2097757) + +https://bugzilla.redhat.com/show_bug.cgi?id=2097757 + +Without this patch dnf can create the following transaction during dnf upgrade --security when there is an advisory for B-2-2: + +``` +repo @System 0 testtags +#>=Pkg: A 1 1 x86_64 +#>=Pkg: B 1 1 x86_64 +#>=Req: A = 1-1 + +repo available 0 testtags +#>=Pkg: A 2 2 x86_64 +#>=Pkg: B 2 2 x86_64 +#>=Req: A = 2-2 +system x86_64 rpm @System +job update oneof A-1-1.x86_64@@System B-2-2.x86_64@available [targeted,setevr,setarch] +result transaction,problems +``` + +Problem is that without forcebest nothing gets upgraded despite the available advisory and --security switch. + +This can also be seen in CI test case: rpm-software-management/ci-dnf-stack#1130 +--- + dnf/base.py | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/dnf/base.py b/dnf/base.py +index 852fcdd8..82466831 100644 +--- a/dnf/base.py ++++ b/dnf/base.py +@@ -2135,7 +2135,24 @@ class Base(object): + query.filterm(reponame=reponame) + query = self._merge_update_filters(query, pkg_spec=pkg_spec, upgrade=True) + if query: +- query = query.union(installed_query.latest()) ++ # Given that we use libsolv's targeted transactions, we need to ensure that the transaction contains both ++ # the new targeted version and also the current installed version (for the upgraded package). This is ++ # because if it only contained the new version, libsolv would decide to reinstall the package even if it ++ # had just a different buildtime or vendor but the same version ++ # (https://github.com/openSUSE/libsolv/issues/287) ++ # - In general, the query already contains both the new and installed versions but not always. ++ # If repository-packages command is used, the installed packages are filtered out because they are from ++ # the @system repo. We need to add them back in. ++ # - However we need to add installed versions of just the packages that are being upgraded. We don't want ++ # to add all installed packages because it could increase the number of solutions for the transaction ++ # (especially without --best) and since libsolv prefers the smallest possible upgrade it could result ++ # in no upgrade even if there is one available. This is a problem in general but its critical with ++ # --security transactions (https://bugzilla.redhat.com/show_bug.cgi?id=2097757) ++ # - We want to add only the latest versions of installed packages, this is specifically for installonly ++ # packages. Otherwise if for example kernel-1 and kernel-3 were installed and present in the ++ # transaction libsolv could decide to install kernel-2 because it is an upgrade for kernel-1 even ++ # though we don't want it because there already is a newer version present. ++ query = query.union(installed_query.latest().filter(name=[pkg.name for pkg in query])) + sltr = dnf.selector.Selector(self.sack) + sltr.set(pkg=query) + self._goal.upgrade(select=sltr) +-- +2.36.1 + diff --git a/0026-Use-installed_all-because-installed_query-is-filtere.patch b/0026-Use-installed_all-because-installed_query-is-filtere.patch new file mode 100644 index 0000000..37cb404 --- /dev/null +++ b/0026-Use-installed_all-because-installed_query-is-filtere.patch @@ -0,0 +1,37 @@ +From fea1f456d3d5f3015ebcff4008959916bdaaf6d6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ale=C5=A1=20Mat=C4=9Bj?= +Date: Mon, 4 Jul 2022 09:46:29 +0200 +Subject: [PATCH] Use `installed_all` because `installed_query` is filtered + user input + +`installed_query` could be missing packages. If we specify we want to +upgrade a specific nevra that is not yet installed, then `installed_query` +is empty because it is based on user input, but there could be other +versions of the pkg installed. + +Eg: if kernel-1 and kernel-3 are installed and we specify we want to +upgrade kernel-2, nothing should be done because we already have higher +version, but now `installed_query` would be empty and kernel-2 would be +installed. + +Therefore, we need to use `installed_all`. +--- + dnf/base.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/dnf/base.py b/dnf/base.py +index 82466831..e606d9fa 100644 +--- a/dnf/base.py ++++ b/dnf/base.py +@@ -2152,7 +2152,7 @@ class Base(object): + # packages. Otherwise if for example kernel-1 and kernel-3 were installed and present in the + # transaction libsolv could decide to install kernel-2 because it is an upgrade for kernel-1 even + # though we don't want it because there already is a newer version present. +- query = query.union(installed_query.latest().filter(name=[pkg.name for pkg in query])) ++ query = query.union(installed_all.latest().filter(name=[pkg.name for pkg in query])) + sltr = dnf.selector.Selector(self.sack) + sltr.set(pkg=query) + self._goal.upgrade(select=sltr) +-- +2.36.1 + diff --git a/dnf.spec b/dnf.spec index e04ac8e..421b865 100644 --- a/dnf.spec +++ b/dnf.spec @@ -66,7 +66,7 @@ It supports RPMs, modules and comps groups & environments. Name: dnf Version: 4.7.0 -Release: 10%{?dist} +Release: 11%{?dist} Summary: %{pkg_summary} # For a breakdown of the licensing, see PACKAGE-LICENSING License: GPLv2+ @@ -99,6 +99,9 @@ Patch0020: 0020-cli-commands-history-Fix-history-undo-on-a-Reason-Ch.patch Patch0021: 0021-Fix-remove-when-no-repos-are-enabled-RhBz-2064341.patch Patch0022: 0022-doc-Improve-proxy-configuration-option-documentation.patch Patch0023: 0023-Base.reset-plug-temporary-leak-of-libsolv-s-page-fil.patch +Patch0024: 0024-doc-Describe-how-gpg-keys-are-stored-for-repo_ggpche.patch +Patch0025: 0025-Add-only-relevant-pkgs-to-upgrade-transaction-RhBug-.patch +Patch0026: 0026-Use-installed_all-because-installed_query-is-filtere.patch BuildArch: noarch BuildRequires: cmake @@ -398,6 +401,10 @@ popd %{python3_sitelib}/%{name}/automatic/ %changelog +* Tue Jul 19 2022 Lukas Hrazky - 4.7.0-11 +- [doc] Describe how gpg keys are stored for `repo_ggpcheck` +- Add only relevant pkgs to upgrade transaction (RhBug:2097757) + * Tue May 24 2022 Richard W.M. Jones - 4.7.0-10 - Backport fix for leaks of libsolv's page file descriptors in Base object resolves: rhbz#2087734