New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
freeipa.spec: depend on bind-pkcs11-utils #6074
Conversation
I think this is an incorrect change. We should not install bind-pkcs11 if only bind-pkcs11-utils is needed. So, in the package definition below, move
|
Also, a commit message implies that the change applies to all Fedora and all RHEL versions, it could be clarify it. |
+1 for @abbra 's proposal:
|
hi @flo-renaud and @abbra thanks for the reviews (and ack). |
Removing ACK, I am going to push a different fix. |
Marking as ipa-next (ipa-4-10) only. |
Looking at your latest change, why can't we do runtime detection of the tool and use it accordingly? Then it will work for both old and new variants. |
Online detection would be overkill for such an issue. |
@fcami snuck his comment while I was typing basically the same thing. This seems like a lot of work that could be simplified in a downstream patch, unless @stanislavlevin or @tjaalton are also seeing this problem with their distros where bind ships with different tool names to do the same thing. |
So, to clarify, this is what is done now:
|
I am concerned by this change. It means we have to branch for no other reason than this change. Why we cannot detect the correct tool runtime? The cost of branching and maintaining backports is much higher than adding a runtime detection for the tool. |
I respectfully disagree. More changes like this one are bound to be required given RHEL 8 and RHEL 9 will fast diverge. Moreover, detecting the correct tool at runtime means the downstream code path will be present but not exercised nor tested in our current upstream tests unless OpenDNSSec tests are run twice, each time with a different set of installed packages. I would argue this is hardly necessary and a waste of upstream resources. With that said, if you really want to implement that detection, both tools are in Fedora:
And both tools work equally fine there, making this a 100% downstream problem. |
Hmm right, looks like Debian would need the same value as Fedora for DNSSEC_KEYFROMLABEL. I need to only worry about the bind9 >= 9.16 packaging which ships /usr/sbin/dnssec-keyfromlabel. EDIT: heh, so this change would modify base/paths.py so that it would work on Debian as well, so ack from me :) |
Thanks for the review @tjaalton ! |
Team agreed to merge this and have a reverse patch for RHEL8. |
The OpenDNSSec integration code requires: /usr/sbin/dnssec-keyfromlabel-pkcs11 which is provided by bind-pkcs11-utils, but that package is only available on RHEL<9. With this change, freeipa-server-dns depends on bind-dnssec-utils on all Fedora releases and RHEL==9+, and uses: /usr/sbin/dnssec-keyfromlabel -E pkcs11 instead of dnssec-keyfromlabel-pkcs11. Fixes: https://pagure.io/freeipa/issue/9026 Signed-off-by: François Cami <fcami@redhat.com>
master:
|
The OpenDNSSec integration code requires:
/usr/sbin/dnssec-keyfromlabel-pkcs11
which is provided by bind-pkcs11-utils.
Currently, bind-pkcs11-utils is only installed for RHEL<9.
With this change, FreeIPA depends on bind-pkcs11-utils on all
Fedora and RHEL versions.
Fixes: https://pagure.io/freeipa/issue/9026
Signed-off-by: François Cami fcami@redhat.com