Bug 489124

Created attachment 282210 [details]
output of 'zypper up'

This probably is not a bug.

1) Your openSUSE updater probably check for 'patches' rather than
   package updates, see what 'zypper list-patches' tells you.
   If you're familiar with older zypper, see the changes pages at:
   http://en.opensuse.org/Zypper/Versions

2) The vendor changes are allowed between trusted vendors. It depends on what
   you have in your /etc/zypp/vendors.d/ directory. Seems the other vendor
   that zypper wants to update from is trusted. Retry with 'zypper -v up'
   to see what is the name of the new vendor and check what you have in
   /etc/zypp/vendors.d.

JFYI: aptitude update == zypper refresh, and yes, aptitude safe-upgrade == zypper update

> zypper list-patches
Daten des Repositorys laden...
Installierte Pakete lesen...
Patches

Keine Aktualisierungen gefunden.  (no actualizations found).

> zypper -v up:
... wants to change packages to os11.0-oss; however the Opensuse 11.0 repository should not contain newer package versions than the Opensuse 11.1 repo.

.

Please call 'zypper up --debug-solver' 
and attach the created solver test case (/var/log/zypper.solverTestCase).

Created attachment 282247 [details]
zypper up --debug-solver

.

(In reply to comment #3)
> > zypper -v up:
> ... wants to change packages to os11.0-oss; however the Opensuse 11.0
> repository should not contain newer package versions than the Opensuse 11.1
> repo.

This is not a matter of package version only. The highest key is the repository priority:
                         HIGH
 repo-update             priority=20
 Libdvdcss repository    priority=99
 emulators               priority=99
 ati                     priority=99
 os11.0-oss              priority=99
 os11.0-packman          priority=99
 zypper                  priority=99
 tuxracer                priority=99
 repo-oss                priority=100
 repo-non-oss            priority=100
                         LOW

As your os11.0 repos have higher priority than the repo-oss, the solver will always prefer their packages, independently of the version.

That's how repository priority works.

  Perhaps user added repositories should have a lower priority (i.e. a higher number) by default. Usually these repositories contain additional software not available anywhere else but are less trustworthy than the core distro packages.
f.i. I do not want packages to be installed from Packman if they are available in the core distro as well.

 There are still a lot of packages that will change the distributor (reassigned-priorities), fortunately now to openSUSE-11.1-Oss.
  However I would like to know the previous distributor (to check if everything is right; zypper if seems to return the best available package source only and not the currently installed; neither can rpm).

c#9: But then users would complain "where are the updates?". Anyway, we can discuss that, but not in bugzilla, but rather on opensuse-softwaremgmt@opensuse.org, or other mailing list or forum...

c#10: yes, i'm working on that right now. See bug 389128.

As far as now I think there has been a minimal agreement on package repository priorities on the meanwhile fallen asleep mailing list discussion:

user added repos should have a lower priority i.e. a higher number assigned than system repos; not only for security reasons.

Nevertheless you should be free to implement any of the other suggestions :) i.e. concerning 'install from dvd & update' instead of 'download newer package'.

OK, but please let's not start a bugzilla ping-pong. We are saying that this is not a bug, so please leave it closed.

As for the ML thread, it seems that the two people replying to your mail disagree with having lower priority for user-added repos, and present their arguments. You can still discuss this with other suse users, and point them to the thread so they give their opinion too. What if other people like it just like it is now?

In his last mail Michael Schroeder said:

>  I would suggest user added repos to have a lower
> > priority i.e. a higher number (how confusing) because these sources are
> > generally less trustworthy (Packman, SW self compiled by Opensuse-users
> > , 3rd party SW).
> 
> But all opensuse repos and the opensuse update repos have same
> priority? Good, that's one point we're agreeing on.
>
He explicitly agreed on this.
Neither you nor Michael Andres opposed to this position.
Consequently I have inferenced that there is a general agreement on this core issue.

Besides this the apparently erroneous behaviour described in this bug will not go until we pose a fix like the described priority inversion (That is why I do wanna keep this as bug!). Please leave this as wontfix if you disagree and are simply not open to any further arguments.

However if you oppose I will have to reconsider my effort in testing, bug reporting and using Opensuse. If the Suse developers are simply too ignorant on security issues I will have to switch the distribution (Enh 491193, Bug 474949: https://bugzilla.novell.com/show_bug.cgi?id=491193).

(In reply to comment #14)
> >
> He explicitly agreed on this.
> Neither you nor Michael Andres opposed to this position.
> Consequently I have inferenced that there is a general agreement on this core
> issue.

I overlooked this, sorry. I've read the thread once again.

So based on what was said here, and on the ML (Elmar, please try to write shorter emails :O), it seems 'the core issue' is neither zypper up doing upgrades, nor incorrect solver behavior, but incorrect priority assignments in the control.xml file on our media, which is _probably_ how you ended up with these repo priorities. But we never confirmed that - how did you add those repositories? Were they added during installation?

@coolo: this is probably for you then. The control.xml should be fixed for the next release. Please check the discussion at http://lists.opensuse.org/opensuse-softwaremgmt/2009-04/msg00000.html.

(In reply to comment #14)
>
> Besides this the apparently erroneous behaviour described in this bug will not
> go until we pose a fix like the described priority inversion (That is why I do
> wanna keep this as bug!). Please leave this as wontfix if you disagree and are
> simply not open to any further arguments.

What made you conclude we are (or i am) not open to further arguments? Didn't i ask you to get more opinions to the thread in my previous comment? Or was it the fact that nobody replied to your mails since 4/16? Well, we're all busy with many things, a 'ping' mail usually helps in such case. No need to reopen a bug just to get attention.

> However if you oppose I will have to reconsider my effort in testing, bug
> reporting and using Opensuse. If the Suse developers are simply too ignorant on
> security issues I will have to switch the distribution (Enh 491193, Bug 474949:
> https://bugzilla.novell.com/show_bug.cgi?id=491193).

I'm sorry you feel that way, i'm convinced this is a problem of communication, rather than unwillingness. It's quite hard to understand each other via the bugzilla, or emails. So let's be patient.

forgot to change the summary...

Just to sum it up, the point is, the core repositories (updates, core opensuse online/DVD repos) must not have lower priority than the default (which is what manually added repos automatically get).

The discussion then is, what priorities they should have. None (default)? Higher?

(In reply to comment #18)
> Just to sum it up, the point is, the core repositories (updates, core opensuse
> online/DVD repos) must not have lower priority than the default (which is what
> manually added repos automatically get).

Correction: the core repositories must not get lower priority (during installation) than is the default. If added later via zypper, or yast, the repos will always get the default priority.

> The discussion then is, what priorities they should have. None (default)?
> Higher?

Yes, exactly.
Sorry for the snapshot.
  As far as I know all user added repos, be that via executing an ymp-file like codecs-gnome/kde.ymp or simply via 'zypper ar', get priority 99 assigned. Nevertheless system repos may be supposed to have higher priority by default.

i.e. should have higher priority.

factory has 99 for all - as mls told me to do over a month ago

Testing Opensuse 11.2, Milestone 6 and there is still no accurate priority assignment to user added repos. I think we have discuessed this long enough on the mailing list! User added repos still get the same priority as other repos instead of giving them a lower pty..-

?

  Did MlS tell you anything not published in the mailing lists?
I thought we have already agreed on lower priorities for user added repos (see again:  Comment #14; - and that was truely *after* him suggesting equal priorities for all repos!). However it is currently not implemented like this.

  If he should have told you anything not published on the mailing list please let us reopen the discussion (Bug 536903 and Bug 535482 reveal further issues about messed repo priorities.).

Sigh, all I said was that we agree that the update repo and the opensuse repo should have the same priority. (And I don't decide which priorities to use, that's up to the people responsible for the product.)

from what I can see, no-one but Elmar agreed that user repos should a different prio and I don't see any reason why someone registering a backport repo should get penalty. Mls and me agreed that all repos having the same prio is what users expect when they update -> highest versions are installed.

  Assigning a lower priority to the user added repos will shield the unsuspecting user from harm: It happens often that a program is f.i. not available for OS 11.1 but for OS 11.0 so that the user will have to add a repo for an elder version (like at Bug 535482).
  Even for the many third party repos of the same release version like f.i. Packman I would consider assigning a lower priority by default as good style. Opensuse packages use to be of better quality; besides this security considerations point out the same. That is why I do not want amarok-2.1.1-4.2 being installed from Packman if amarok-2.1.1-4.1 is available from an Opensuse repo.
  Those people who favour the newest sub-version regardless of the provider should have to set the priority manually. This is just good style as default behaviour should be geared to the unsuspecting user, not to the version junkie. Having the latest sub-version makes to my experience only sense for a tester or perhaps an experienced user. You do not draw all packages from factory repos either!

  Please be open to arguments and don`t simply implement what you do personally favour. I believe Opensuse should be a distro for the average user, not just for experts!

I am open to arguments, but they don't make sense to me. The normal use case is _not_ to register 11.0 repos on 11.1, but the normal use case is to register GNOME:STABLE and expect to get the latest stable GNOME release and not the one in the 11.1 repos. 

And if someone registers 11.0 repos, he's clearly not an average user and can very well reconfigure the repo prios.

  Having to add elder repos because some programs requested by average users like f.i. knetstats are not provided by current repos has just been one of many arguments. 
  The more important arguments were security, trustworthy and diverging quality of third party package providers while there is actually almost no difference between different builds or subversions of the same package.

understood. WONTFIX!!!!