-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rpminspect complains about missing depedency that is provided transitively #1231
Comments
Hmm 🤔 I'd argue that it is a good practice to list the dependencies explicitly. Do you see any problems or disadvantages with the explicit listing? |
It's not that an explicit listing would be bad. But it might be unnecessary, and it is not an error to not have it. This warning is about subpackages of a single package, maintained together, and it's entirely reasonable for the maintainer to make use of transitive dependencies like this. If this was between different packages, then I'd argue that it should always be declared explicitly, because the other package may rearrange components at any time. But when it's all in a single spec file, the maintainer fully controls all the subpackages. In particular, the maintainer might want to not add those dependencies explicitly to keep down the complexity of the spec file. In general, this is another of those cases where some advice might be useful in some cases, but it's very hard to figure out programatically if it applies. Rpminspect presents this as certain. I would very much prefer for rpminspect to not print the warning at all, so that we can get to point where warnings from rpminspect have no false positives, or almost no false positives, and then maintainers are motivated to fix the issues that are reported. |
rpminspect's behavior for this check comes from the longstanding practice that automatically generated shared object dependencies at rpmbuild time should be explicitly added as Requires in the spec file. https://docs.fedoraproject.org/en-US/packaging-guidelines/#_explicit_requires The guidance on this topic these days is unclear to me, but it seems we still lean in that direction. Personally, I feel explicitly listing them is better than not because it gives a hard requires on the dependent package NVR rather than relying on the autodep which just gives the SONAME and could lead to a situation where you have version mismatches installed for those subpackages. Though honestly we wouldn't have that problem in the world of Linux if we [developers] were better about API versioning and stability, but we're not. :) rpminspect does not unwrap explicit dependencies like you describe. I suppose I could add support for that, but it does feel like shaving the yak. [Side topic... looking at systemd and systemd-libs, are those packages ever able to exist by themselves or do you always need to have both installed? I prefer fewer packages than more packages and if these two effectively act as a single package, I would recommend putting systemd-libs content in systemd.] |
Nope, in this case (as described in the original report), I have explicit deps with a fixed version. So autodep is not used here at all.
Well… I'd say that the the implementation of the original check was the shaving of the yak. It must have been quite a bit of work, but it was done without apparently considering various way in which the check is insufficient.
|
I added the missing arch markers in systemd now: https://src.fedoraproject.org/rpms/systemd/c/14701a7bc8e3f75116e63e035c4204a6188b359f?branch=rawhide |
Prompted by the discussion in rpminspect/rpminspect#1231.
Right, I did see that. I was explaining more the origin of what rpminspect is doing. Unfortunately a lot of the "why" of the rpmdeps check has been lost to time, but it was all built for issues showing up in RHEL at the time. I was not trying to claim it makes sense or not.
I did the implementation in rpminspect basically by reimplementing what rpmdiff had been doing as my first order of business was feature parity. And yes, it was quite a bit of work. I knew that its first iteration would present problems like this, but I did not have a good way to determine what packages in the wild would present these issues. My goal is to make the check mostly useful for the purposes of shipping a functional distribution. My yak shaving comment was meant to imply that we can keep going down the path of handling more and more RPM dependency cases, but at some point we [the distribution] needs a packaging policy in place that says how we will use the features of the packaging system and what self-imposed limits we will have. That's sort of the objective of rpminspect is to enforce the rules we make for ourselves. Your not wrong that this functionality is fine in RPM packages, but I want to see that cross-referenced with packaging policy.
Noted, thanks. |
A package with automatic shared library dependencies usually require an explicit Requires on the %{name} = %{version}-%{release}. This is done to ensure subpackages don't drift from the main package when performing upgrades. However, it is also possible to have those explicit Requires handled by transitive Requires. That is having an explicit Requires on a package that then itself has an explicit Requires on the package you need. This commit implements that check when looking for explicit Requires and treats it as satisifed. Fixes: rpminspect#1231 Signed-off-by: David Cantrell <dcantrell@redhat.com>
A package with automatic shared library dependencies usually require an explicit Requires on the %{name} = %{version}-%{release}. This is done to ensure subpackages don't drift from the main package when performing upgrades. However, it is also possible to have those explicit Requires handled by transitive Requires. That is having an explicit Requires on a package that then itself has an explicit Requires on the package you need. This commit implements that check when looking for explicit Requires and treats it as satisifed. Fixes: #1231 Signed-off-by: David Cantrell <dcantrell@redhat.com>
The dependency is provided transitively:
It is a fairly common pattern to have such transitive deps between subpackages. I think rpminspect could figure out if a dependency is satisfied transitively among subpackages.
Also, I think the dependency needs to be archful. I.e. it should include
(%_isa)
. In systemd, the systemd subpackage doesn't have this, which is probably an error. The advice given by rpminspect should include it, because libraries by definition are compiled code and archful.The text was updated successfully, but these errors were encountered: