SELinux RPM scriplet issue annoucement
Jonathan Dieter
jdieter at lesbg.com
Sun Jan 19 20:20:54 UTC 2014
On Jan 19, 2014 8:57 PM, "Michael Schwendt" <mschwendt at gmail.com> wrote:
>
> On Sun, 19 Jan 2014 20:32:26 +0200, Jonathan Dieter wrote:
>
> > If scriptlet failures weren't fatal, we wouldn't have the problem we
> > have now with duplicate packages. We could have just pushed the selinux
> > update,
>
> After installing the previous bad update that breaks scriptlets, how would
> you activate the new selinux policy within the fixed package's %post
scriptlet?
> Instead of updating to the package in permissive mode, you would need to
> run the scriptlet contents manually *and* still reinstall any package were
> the scriptlets failed.
I was focusing on the fact that scriptlet failures lead to duplicates in
the rpm database, but, you're right, it's not the main problem.
I still think there's a good case for making scriptlet errors non - fatal,
but, in this situation, it would have had a minimal benefit.
> > [...] then bumped the release for all updates in the last few pushes,
> > and then rebuilt them.
>
> How do you know which packages a user has tried to install/update _after_
> updating to the bad policy package? It could be any package within the
package
> collection that would remain installed but broken because of the
scriptlets bug.
> You assume that users have only applied the few updates following the bad
> selinux policy update.
ACK. I didn't think this part through properly.
Jonathan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140119/d2ee467c/attachment.html>
More information about the devel
mailing list