 |
I'm curious if this is related to the changes we made to updateinfo.xml generation for the Rocky Repositories. I've been working on an update to the Apollo system that will provide aggregated advisories for a given major version of the operating system. Before these changes a given minor release would ONLY contain advisories for that specific minor version. With the new changes, updateinfo.xml should now contain advisories for all previous minor versions as well. Are you able to provide the differing lists of associated packages for these failing advisories? |
|
|
I was not able to spot anything obvious comparing the output of dnf updateinfo. Looking at the raw updateinfo data, I notice that there is disagreement about the collection name and short name. Here is what our mirror has: <pkglist> <collection short="rocky-linux-8-x86-64-baseos-rpms"> <name>rocky-linux-8-x86-64-baseos-rpms</name> <package name="libreport-filesystem" version="2.9.5" release="15.el8.rocky.6.3" epoch="0" arch="x86_64" src="libreport-2.9.5-15.el8.rocky.6.3.src.rpm"> <filename>libreport-filesystem-2.9.5-15.el8.rocky.6.3.x86_64.rpm</filename> <sum type="sha256">cc21df056d6c76f8b9e583b2de81e63f00203365ba633c9491666603a23920cd</sum> </package> </collection> </pkglist> Here is the updateinfo of the upstream: <pkglist> <collection short="none-baseos-rpms"> <name>none-baseos-rpms</name> <package name="libreport-filesystem" arch="x86_64" epoch="0" version="2.9.5" release="15.el8.rocky.6.3" src="libreport-2.9.5-15.el8.rocky.6.3.src.rpm"> <filename>libreport-filesystem-2.9.5-15.el8.rocky.6.3.x86_64.rpm</filename> <sum type="sha256">cc21df056d6c76f8b9e583b2de81e63f00203365ba633c9491666603a23920cd</sum> </package> </collection> </pkglist> |
|
|
That's valuable information and certainly looks like a bug. Let me take a look to see what could be happening. |
|
|
Using the original updateinfo generation endpoint for one of the advisories in question I see the following package list: <pkglist> <collection short="rocky-linux-8-x86-64-baseos-rpms"> <name>rocky-linux-8-x86-64-baseos-rpms</name> <package name="gsettings-desktop-schemas" arch="x86_64" epoch="0" version="3.32.0" release="6.el8" src="gsettings-desktop-schemas-3.32.0-6.el8.src.rpm"> <filename>gsettings-desktop-schemas-3.32.0-6.el8.x86_64.rpm</filename> <sum type="sha256">ef0bee544ec9f62c9d8746d753fdbef129a1d5a1d94c19cc503d69396239c57a</sum> </package> </collection> </pkglist> The same with the new endpoint we get a triple duplicate in the package list: <pkglist> <collection short="none-baseos-rpms"> <name>none-baseos-rpms</name> <package name="gsettings-desktop-schemas" arch="x86_64" epoch="0" version="3.32.0" release="6.el8" src="gsettings-desktop-schemas-3.32.0-6.el8.src.rpm"> <filename>gsettings-desktop-schemas-3.32.0-6.el8.x86_64.rpm</filename> <sum type="sha256">ef0bee544ec9f62c9d8746d753fdbef129a1d5a1d94c19cc503d69396239c57a</sum> </package> <package name="gsettings-desktop-schemas" arch="x86_64" epoch="0" version="3.32.0" release="6.el8" src="gsettings-desktop-schemas-3.32.0-6.el8.src.rpm"> <filename>gsettings-desktop-schemas-3.32.0-6.el8.x86_64.rpm</filename> <sum type="sha256">ef0bee544ec9f62c9d8746d753fdbef129a1d5a1d94c19cc503d69396239c57a</sum> </package> <package name="gsettings-desktop-schemas" arch="x86_64" epoch="0" version="3.32.0" release="6.el8" src="gsettings-desktop-schemas-3.32.0-6.el8.src.rpm"> <filename>gsettings-desktop-schemas-3.32.0-6.el8.x86_64.rpm</filename> <sum type="sha256">ef0bee544ec9f62c9d8746d753fdbef129a1d5a1d94c19cc503d69396239c57a</sum> This is likely due to how the new endpoint works by aggregating advisory information across multiple minor versions. From local testing this looks to be an issue when the same advisory was processed using multiple mirrors leading to duplicate entries in one of the tables in the DB. The quick fix here is to add deduplication logic to the updateinfo.xml generation script. While fixing this I'll also look at the issue with `none` in the collection and name. |
|
|
There were indeed two bugs related to the behavior observed in this Mantis issue: Duplicate Packages: The new updateinfo endpoint sometimes emitted duplicate <package> entries within the <pkglist> element, stemming from advisory/package matching logic that didn’t account for multiple mirrors and products associated with a single advisory. Collection/Name Strings: The <collection short> and <name> elements occasionally contained default values such as none-*-rpms rather than the expected product-specific strings because the endpoint wasn’t passing the necessary product information for XML generation. A PR has been opened to address both issues: https://github.com/resf/distro-tools/pull/75. Fixes include deduplication logic for the v2 endpoint (which processes multiple mirrors/products), and ensuring product context is properly passed to the XML builder. For testing, the development Apollo instance has the updated endpoint: ``` curl -X GET "https://apollo.ciq.dev/api/v3/updateinfo/rocky-linux/8/BaseOS/updateinfo.xml?arch=x86_64" -H "Accept: application/xml" -o v2_fixed_rocky8-baseos-x86_64-updateinfo.xml ``` You can compare with the current (unfixed) production endpoint: ``` curl -X GET "https://apollo.build.resf.org/api/v3/updateinfo/rocky-linux/8/BaseOS/updateinfo.xml?arch=x86_64" -H "Accept: application/xml" -o v2_rocky8-baseos-x86_64-updateinfo.xml ``` Note: The development Apollo instance may have a limited subset of advisories but should be sufficient for basic regression and validation. Additionally, the PR includes new automated tests to help catch regressions for these classes of bugs. If further issues are encountered in the dev instance, please let me know and I’ll investigate! |
- Anonymous
