Ubuntu
freeipa package

  1. Bug #1746947
  2. Comment #6

Comment 6 for bug 1746947

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

For a better overview and to make a decision (as a +really version always sucks to some extend) I did some tests:
- built nss 3.34 with the freebl3 change in ppa [1] as 2:3.35-2ubuntu1+really3.34-1ubuntu2
- set up some containers to test
- ran the sequence of installs/commands that freeipa tests would do

I did so in different combinations:
1. freeipa 4.4.4 + nss 3.34-1ubuntu1 (as bionic is)
2. freeipa 4.6.3 + nss 3.35-1ubuntu1 (full bionic proposed)
3. freeipa 4.4.4 + nss 3.35-1ubuntu1 (as tested by autopkgtest by pinning)
4. freeipa 4.4.4 + nss 3.35-2ubuntu1+really3.34-1ubuntu2 (ppa)
5. freeipa 4.6.3 + nss 3.35-2ubuntu1+really3.34-1ubuntu2 (proposed + ppa)

I tested:
- the install that fails in the autopkgtest
  $ apt install freeipa-server freeipa-server-dns freeipa-server-trust-ad freeipa-common
    freeipa-client freeipa-admintools freeipa-tests python-ipaclient python-ipalib
    python-ipaserver python-ipatests
- the python call that fails (old & new form of it as it needs an additional import in 4.6.2)
  python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()'
  python2 -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()'

     #1 install #2 old python #3 new python
1. ok ok fail (4.4 has only old import)
2. ok (skip) fail (4.6 need new import) ok
3. fail fail (nss format) fail (4.4 has only old import)
4. ok ok fail (4.4 has only old import)
5. ok (skip) fail (4.6 need new import) ok

So an nss upload should work as planned with both verserions:
- freeipa 4.4 (case 4. #2)
- freeipa 4.6 (case 5. #3)
- and both cases would install (4./5. #1).

Due to the hint by Timo (thanks) I found [1] which explains a bit what is going on.
That is a nice change to be made in nss, but not unplanned and unprepared.
Some consuming packages need to be adapted first, and that was not what I intended by picking a new minor version. So that as well points to an upload reverting the move to 3.35.

Get me right - the move to 3.35 and the new file format should be done at some point, but not now unplanned (it accidentally slipped in by the merge) - so I'm uploading 2:3.35-2ubuntu1+really3.34-1ubuntu2 to un-break it for now.

[1]: https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql