Drawing lessons from fatal SELinux bug #1054350

Michael Schwendt mschwendt at gmail.com
Fri Jan 24 18:26:24 UTC 2014


On Fri, 24 Jan 2014 00:55:23 +0100, Kevin Kofler wrote:

> it is time to analyze the fallout from the following catastrophic Fedora 20 
> regression:
> https://bugzilla.redhat.com/show_bug.cgi?id=1054350
> "rpm scriptlets are exiting with status 127"

> * We are losing users to Ubuntu because of this issue.

Always hard to comment on without have seen numbers/statistics first.

IMO, there's some sort of "pork cycle" related to users switching
distributions forth and back after a couple of releases. Around Fedora 18
users of Ubuntu have returned. The current Anaconda is not everyone's
coup of tea, however, so that's one point where users are lost already.

> * The bug now has 38 (!) duplicates in Bugzilla, plus many complaints on 
> IRC, mailing lists, comments to other unrelated bugs (the fix for which 
> cannot be installed due to the SELinux bug) etc.

As I've searched for and closed several of the dupes, the various bug
reports are interesting. The users have misidentified the problem as
being a problem in the package/update they wanted to install. Some have
noticed many packages failing and have blamed Yum. I wonder how many
users are affected by the problem and have not done anything yet (since,
for example, they expect an update to fix it "magically").

> * That update made it out to the stable updates! In other words, the 
> draconian Update Policies that were enacted in a vain attempt to prevent 
> such issues from happening utterly failed at catching this bug.

Those policies are not "draconian" enough [1]. On erroneous belief that
a +1 from three different testers would mean that the update has seen
enough testing, the test update has been published with the default karma
threshold of +3. The testers have failed. It's too simple for testers to
rush through the voting in bodhi without testing the updates
painstakingly. "The faster the better" has lead to a fatal mistake in
this case.

[1] It's up to the package maintainers to disable karma automatism or
to increase the threshold. AFAIK, the selinux maintainers are open to
doing exactly that.


More information about the devel mailing list