package, package2, package3 naming-with-version exploit

Thu Apr 4 13:42:11 UTC 2013

Dne 4.4.2013 14:48, Florian Festi napsal(a):
> On 04/04/2013 01:55 PM, Vít Ondruch wrote:
>> I am not asking RPM developers to change policy, I am asking RPM
>> developers to lay out foundation. It does not make sense to change
>> policy, if there are no tools to fulfill it.
> Well, Fedora demanding a set of tools will much more likely result in
> some action. Also a policy about multi version packages can be put in
> place independent of a technical implementation.

That is possible, however unlikely.

>
>> Well, if somebody wants to maintain some package, it probably doesn't
>> matter which version. If somebody is qualified enough to maintain
>> version X-1, (s)he is probably qualified enough to maintain version X.
> This is not about qualification but about will to do the work. If the
> owner of the package is unwilling to maintain another version and
> unwilling to let you playing his sandbox just having a new tree is a
> good solution.

I understand you point, although I have to admit, that if this happens, 
we are in more serious troubles then if we could install parallel 
packages or not. We all should kick for the same team. I cannot imagine 
that somebody has his/her "private" playground in Fedora. That would be 
totally wrong.

>
>> Ok, so what is the purpose of version field than? Lets drop it, if
>> nobody cares. You could remove a few lines in Fedora, depsolver could be
>> dumber.
> Well, I tried to explain that in my first mail. Read it again.

Ok, update paths. You have them just with Release as well, so we can 
drop the version, which will become part of package name.

>
>> Yes, I am exaggerating here, but does it make sense to have package
>> python3-3.3? Why we don't have python3-1.0? Where is the version 1.0 of
>> python 3? Why we duplicating the version? Non of these question makes
>> you think that we are doing something wrong?
> No, I just don't care. You can use what ever you want as name or
> version. Rpm just cares if the name of two packages are the same and if
> one version is considered bigger, smaller or equal according to a quite
> obscure set of rules.

Yes, that is fine from the RPM point of view. But RPM has its users, who 
might need some changes from RPM to achieve their goals.

>
> Feel free to have python3-1.2-0 providing Python = 3.1.2
>
>
>> Yes, this is "install only packages" variation and this is the most
>> basic scenario I'd love to see in Fedora.
> Well, as I and Seth already told you the tools kinda do support this
> scenario. As this is not actually used, I'd guess that there are still
> some bugs or missing features to actually make this work. If you want to
> do something constructive just try this out and file precise bugs to
> make installonlypkgs work for your use case. As always supplying patches
> might speed things up.

Although they might support, and Kernel would be first user, even for 
Kernel, there is used hack instead of systematic solution as far as I 
know. As long as Kernel will be treated specially in this regard, there 
is not much to do on my side.

>
>> Extension of this is that you should be able to update installed package
>> of specific version, if its new release is available. That would allow
>> to fix security issues in older packages.
> I doubt that this will make it into yum. May be you can convince the dnf
> developer as the dnf depsolver is better suited to deal with the
> scenarios that arise from such a feature.
>

That is my intention ;)

Vít