Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1344643
Summary: | default install of google-chrome, google-talkplugin or any other google app blocks users from getting *any* system updates | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Kamil Páral <kparal> | ||||||||||||||||||
Component: | gnome-software | Assignee: | Richard Hughes <rhughes> | ||||||||||||||||||
Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||||||||||||
Severity: | unspecified | Docs Contact: | |||||||||||||||||||
Priority: | unspecified | ||||||||||||||||||||
Version: | 24 | CC: | alan.christopher.jenkins, awilliam, klember, quantum.analyst, rhughes, robatino, satellitgo | ||||||||||||||||||
Target Milestone: | --- | Keywords: | CommonBugs, Reopened | ||||||||||||||||||
Target Release: | --- | ||||||||||||||||||||
Hardware: | Unspecified | ||||||||||||||||||||
OS: | Unspecified | ||||||||||||||||||||
Whiteboard: | https://fedoraproject.org/wiki/Common_F24_bugs#packagekit-chrome | ||||||||||||||||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||||||||||||||
Doc Text: | Story Points: | --- | |||||||||||||||||||
Clone Of: | Environment: | ||||||||||||||||||||
Last Closed: | 2017-08-08 14:48:27 UTC | Type: | Bug | ||||||||||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||||||||||
Documentation: | --- | CRM: | |||||||||||||||||||
Verified Versions: | Category: | --- | |||||||||||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||||||||
Embargoed: | |||||||||||||||||||||
Bug Depends On: | |||||||||||||||||||||
Bug Blocks: | 1277289 | ||||||||||||||||||||
Attachments: |
|
Description
Kamil Páral
2016-06-10 08:50:29 UTC
Created attachment 1166588 [details]
PackageKit log while installing Chrome
Created attachment 1166589 [details]
PackageKit log while downloading system updates
Created attachment 1166590 [details]
journal from a failed offline update
Full journal from offline update attached. However pkcon detects the error correctly:
$ pkcon offline-status
Status: Failed
ErrorCode:failed-initialization
ErrorDetails:package google-chrome-stable-51.0.2704.84-1.x86_64 cannot be verified and repo google-chrome is GPG enabled: failed to lookup digest in keyring for /var/cache/PackageKit/24/metadata/google-chrome/packages/google-chrome-stable-51.0.2704.84-1.x86_64.rpm
Created attachment 1166591 [details]
rpm -qa output
Created attachment 1166594 [details] chrome rpm scripts There are the scripts chrome executed during rpm operations. The important one is line 101 install_rpm_key(). At line 151 there is > rpm --import "$TMPKEY" which you can see to fail if you install the rpm using dnf: > Installing : google-chrome-stable-50.0.2661.75-1.x86_64 135/136 > error: can't create transaction lock on /var/lib/rpm/.rpm.lock (Resource temporarily unavailable) > error: /tmp/google.sig.5TVPxG: key 1 import failed. > Redirecting to /bin/systemctl start atd.service They are actually aware that sometimes you can't import a key during post-install, which is why they try to postpone it at line 485: > echo "sh /etc/cron.daily/google-chrome" | at now + 2 minute > /dev/null 2>&1 However, there is a logical error in that script which causes it to no longer try to import the key (it just verifies the repo was added), at least on Fedora. I'm posting this here to explain in detail what's going on, but I don't think this should be used to claim "it's a bug in google-chrome, not our problem". First, they're really trying to make this work, and second I don't even think they should be doing such dirty hacks in post-install. Our package managers should be able to deal with unimported keys in a friendly fashion and should not force third-parties to invent ugly hacks in their RPMs. Created attachment 1166597 [details]
chrome's cron job
This script is executed 2 minutes after RPM install, and regularly once a day. However, it will not fix the missing key import as it's currently written.
After talking to Richard, if chrome installed its key to /etc/pki/rpm-gpg/ this would not happen, because libhif autoimports everything from that directory. It does not automatically download the repo keys, though. Isn't this true of all packages in Google's repository, not just Chrome? I'm pretty sure I saw issues on F23 from the Google Talk plugin, which were fixed after installing the GPG key. (In reply to Elliott Sales de Andrade from comment #8) > Isn't this true of all packages in Google's repository, not just Chrome? Most likely, yes. Thanks for mentioning that. The behavior seems to have changed slightly with gnome-software-3.21.90-2.fc25. It no longer fails during offline update, it fails now during transaction verification in gnome-software (which is an improvement). If you let packagekit do its thing and run in the background, it will download all updates, fail the transaction test, and keep silent. Therefore no "updates are available" notification is posted, probably never (as long as you have google-chrome installed). If you open up gnome-software, it claims "software is up to date" (which is, of course, its usual lie). See screenshot. If you trigger refresh with the top left button, it will re-run the transaction test and show an error message: "package google-chrome-* cannot be verified and repo google-chrome is GPG enabled: failed to lookup digest in keyring in /var/cache/PackageKit/*" See screenshot. If certain people reach this screen and realize they could remove google-chrome (but would they want to do that?), it will "fix" the issue. However, most people won't even see this screen (because even if they wander into the Updates tab, it will say "software is up to date" every time). Created attachment 1195928 [details]
software - "up to date" but not really
This is the screen that you see when you open gnome-software and your system update is already broken due to google-chrome.
Created attachment 1195929 [details]
software - error screen during update refresh
This is the error screen that you see when you manually refresh available updates.
I'm proposing this as a Final blocker, because it violates these criteria: "The installed system must be able to download and install updates with the default graphical package manager in all release-blocking desktops. " https://fedoraproject.org/wiki/Fedora_25_Beta_Release_Criteria#Updates and "Release-blocking desktops must notify the user of available updates, but must not do so when running as a live image. " https://fedoraproject.org/wiki/Fedora_25_Final_Release_Criteria#Update_notification This is a conditional violation in case the user installed google-chrome. Neither the update notification will arrive, nor the update can be performed manually inside gnome-software. Some ideas how to deal with this are provided in comment 0. Please not that due to bug 1367780 you need to install chrome RPM using "pkcon install-local" instead of gnome-software. Also, because there are oh so many bugs in packagekit, in case packagekit already downloaded some updates for you before you installed chrome, you need to refresh the updates list in order to see this bug. I have tested other Google apps [1] as well. This problem most probably affects all of them (because they use the same post-install scripts). I have verified this with google-talkplugin and google-webdesigner. With google-talkplugin, simply install an older version [2] and follow the usual procedure (try to update). Same error. With google-webdesigner, I don't have an older RPM for it, so I used this trick: 1. Installed current google-webdesigner (1.3.5.0) 2. Create a fake google-webdesigner rpm [3] with rpmfluff with version 1.0, downgraded to it 3. Tried to update to the version in repos (1.3.5.0) Adjusting title to make it clear this affects all google apps distributed as RPMs. [1] https://www.google.com/linuxrepositories/ [2] https://kparal.fedorapeople.org/bugs/chrome-updates/google-talkplugin_5.41.0.0_x86_64.rpm [3] https://kparal.fedorapeople.org/bugs/chrome-updates/google-webdesigner-1.0-1.x86_64.rpm https://github.com/rpm-software-management/libhif/pull/187 should fix this (In reply to Kalev Lember from comment #15) > https://github.com/rpm-software-management/libhif/pull/187 should fix this And it does! Thanks. (The PK build people can test with is this: http://koji.fedoraproject.org/koji/buildinfo?buildID=798635 ) PackageKit-1.1.4-0.4.20160901.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-360d537639 PackageKit-1.1.4-0.4.20160901.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-360d537639 PackageKit-1.1.4-0.4.20160901.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. This is still not fixed on F24, is it? I guess not, as there has not been an F24 update to PK since 1.1.3-2. Re-opening, since this was filed against F24 and is on the F24 Common Bugs list. Please fix for F24 if possible. Thanks! This message is a reminder that Fedora 24 is nearing its end of life. Approximately 2 (two) weeks from now Fedora will stop maintaining and issuing updates for Fedora 24. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '24'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 24 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Fedora 24 changed to end-of-life (EOL) status on 2017-08-08. Fedora 24 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |