package, package2, package3 naming-with-version exploit

Thu Apr 4 12:48:13 UTC 2013

On 04/04/2013 01:55 PM, Vít Ondruch wrote:
> I am not asking RPM developers to change policy, I am asking RPM
> developers to lay out foundation. It does not make sense to change
> policy, if there are no tools to fulfill it.

Well, Fedora demanding a set of tools will much more likely result in
some action. Also a policy about multi version packages can be put in
place independent of a technical implementation.

> Well, if somebody wants to maintain some package, it probably doesn't
> matter which version. If somebody is qualified enough to maintain
> version X-1, (s)he is probably qualified enough to maintain version X.

This is not about qualification but about will to do the work. If the
owner of the package is unwilling to maintain another version and
unwilling to let you playing his sandbox just having a new tree is a
good solution.

> Ok, so what is the purpose of version field than? Lets drop it, if
> nobody cares. You could remove a few lines in Fedora, depsolver could be
> dumber.

Well, I tried to explain that in my first mail. Read it again.

> Yes, I am exaggerating here, but does it make sense to have package
> python3-3.3? Why we don't have python3-1.0? Where is the version 1.0 of
> python 3? Why we duplicating the version? Non of these question makes
> you think that we are doing something wrong?

No, I just don't care. You can use what ever you want as name or
version. Rpm just cares if the name of two packages are the same and if
one version is considered bigger, smaller or equal according to a quite
obscure set of rules.

Feel free to have python3-1.2-0 providing Python = 3.1.2

> Yes, this is "install only packages" variation and this is the most
> basic scenario I'd love to see in Fedora.

Well, as I and Seth already told you the tools kinda do support this
scenario. As this is not actually used, I'd guess that there are still
some bugs or missing features to actually make this work. If you want to
do something constructive just try this out and file precise bugs to
make installonlypkgs work for your use case. As always supplying patches
might speed things up.

> Extension of this is that you should be able to update installed package
> of specific version, if its new release is available. That would allow
> to fix security issues in older packages.

I doubt that this will make it into yum. May be you can convince the dnf
developer as the dnf depsolver is better suited to deal with the
scenarios that arise from such a feature.

Florian