Bugzilla – Bug 1138638
1-click install should not accept metadata without distversion tag.
Last modified: 2020-01-24 10:45:06 UTC
There are more and more reports (both forums and mailing lists) from users who used 1-Click install on stable releases and ended up having Tumbleweed repository configured for them. See e.g. this one which includes summary of other reports: https://forums.opensuse.org/showthread.php/536470-Accidentally-installed-Factory-repository?p=2906194#post2906194 In all cases the problem is that user clicks on Tumbleweed version which does not provide distversion tag in its metadata. According to XML schema for 1-Click metadata, distversion tag is mandatory. Why YaST oneclick installer silently accepts invalid XML without this tag? At the very least installer must warn users multiple times that it cannot verify that package is actually intended for distribution user is using and provide as much information as possible for user to verify manually (presence of "tumbleweed" in URL would be some strong hint). As it stands currently 1-Click installer became rather useless due to this issue.
It's worse than useless. It causes: 1-much time wasted by users trying to recover Leap functionality (not always successful) and by those helping users needing instruction to recover or understand what went wrong with functionality that simply works in Ubuntu 2-possible derogation of openSUSE reputation 3-data loss risk.
Could you please attach y2logs which shows this behavior ? https://en.opensuse.org/openSUSE:Report_a_YaST_bug#I_reported_a_YaST2_bug.2C_and_now_I_am_asked_to_.22attach_y2logs.22._What_does_that_mean.2C_and_how_do_I_do_that.3F
Created attachment 808472 [details] y2logs https://software.opensuse.org/ymp/openSUSE:Factory/standard/gnome-mahjongg.ymp?base=openSUSE%3AFactory&query=gnome-mahjongg The problem is aggravated by the fact that software.o.o always suggests Tumbleweed 1-click link even when user is on Leap. User just clicks on link that *you* (openSUSE) offer. That should be a separate bug. I think it was reported, but cannot find it now. bor@10:~> zypper lr -d # | Alias | Name | Enabled | GPG Check | Refresh | Priority | Type | URI | Service ---+-------------------------------------+-----------------------------------------+---------+-----------+---------+----------+--------+--------------------------------------------------------------------------+-------- 1 | download.opensuse.org-non-oss | Main Repository (NON-OSS) | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/distribution/leap/15.1/repo/non-oss/ | 2 | download.opensuse.org-non-oss_1 | Update Repository (Non-Oss) | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/leap/15.1/non-oss/ | 3 | download.opensuse.org-oss | Main Repository (OSS) | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/distribution/leap/15.1/repo/oss/ | 4 | download.opensuse.org-oss_1 | Main Update Repository | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/leap/15.1/oss | 5 | http-download.opensuse.org-6ebff5e5 | openSUSE:Factory | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/tumbleweed/repo/oss/ | 6 | repo-debug | openSUSE-Leap-15.1-Debug | No | ---- | ---- | 99 | NONE | http://download.opensuse.org/debug/distribution/leap/15.1/repo/oss/ | 7 | repo-debug-non-oss | openSUSE-Leap-15.1-Debug-Non-Oss | No | ---- | ---- | 99 | NONE | http://download.opensuse.org/debug/distribution/leap/15.1/repo/non-oss/ | 8 | repo-debug-update | openSUSE-Leap-15.1-Update-Debug | No | ---- | ---- | 99 | NONE | http://download.opensuse.org/debug/update/leap/15.1/oss/ | 9 | repo-debug-update-non-oss | openSUSE-Leap-15.1-Update-Debug-Non-Oss | No | ---- | ---- | 99 | NONE | http://download.opensuse.org/debug/update/leap/15.1/non-oss/ | 10 | repo-source | openSUSE-Leap-15.1-Source | No | ---- | ---- | 99 | NONE | http://download.opensuse.org/source/distribution/leap/15.1/repo/oss/ | 11 | repo-source-non-oss | openSUSE-Leap-15.1-Source-Non-Oss | No | ---- | ---- | 99 | NONE | http://download.opensuse.org/source/distribution/leap/15.1/repo/non-oss/ | bor@10:~>
I fully agree. The schema makes the 'distversion' attribute to the 'group' element mandatory. We should stick to that and reject (not warn) invalid XML. That said I see 'distversion' missing everywhere on s.o.o - so enforcing this will probably annoy people even more. I guess this needs to be sorted out.
Tracking in YaST Scrum board.
There's an open issue for the obs that needs to be resolved first: https://github.com/openSUSE/open-build-service/issues/7458
fixed 1-click installer https://github.com/yast/yast-metapackage-handler/pull/18
This is an autogenerated message for OBS integration: This bug (1138638) was mentioned in https://build.opensuse.org/request/show/766789 Factory / yast2-metapackage-handler