** Description changed: - Fully updated Ubuntu 26.04 LTS system, packagekit 1.3.4-3. + [ Impact ] - Originally reported as an App Center issue that allows core system - packages to be uninstalled (in combination with compulsory_for_desktop - not being supported by App Center). + PackageKit on Resolute does not respect the "allow deps=false" flag in a RemovePackages transaction. + Thus, uninstalling apps from simple graphical front-ends like the App Center may causes its core reverse-dependencies to be removed as well breaking the system in many cases. - PackageKit on Resolute does not seem to respect the "allow deps=false" - setting and removal of some core app causes its core reverse- - dependencies to be removed as well, breaking the system in many cases. + There exists a second, but weaker, safety-net implemented in graphical + front-ends like the App Center which is to honour a bit of the + application's metadata called "compulsory_for_desktop", by which the app + itself is asking to be considered part of the core functionality of a + certain desktop environment, preventing its removal when running such + desktop environment. This is not sufficient since the app itself might + now know of which packages are marked as depending it. + + A stronger and better guarantee is for front-ends to invoke PackageKit + with the `allow_deps=false` flag and for PackageKit to correctly honour + it denying all transactions that would result in the removal of reverse- + dependencies. + + [ Test Plan ] + + From an Ubuntu Desktop install, + 1. Install the gnome-core metapackage + $ sudo apt install gnome-core --no-install-recommends + 2. Open App Center + 3. Search for "Calculator" between Debian packages + 4. Select "Calculator" (the gnome calculator) + 5. Click Uninstall + 6. Verify that the operation gracefully fails, since it would remove the + gnome-core metapackage which was manually installed. + + [ Regression Test Plan - normal uninstall ] + + We shall still be able to uninstall packages that do not have strong + dependencies on them. + + 1. Open App Center + 2. Search for "showtime" between Debian packages + 3. Select "Video Player" + 4. Click Uninstall + 5. Verify that the operation completed successfully + + [ Regression Test Plan - autoremove ] + + PackageKit should still allow removing other packages; the + allow_deps=false restriction shall only apply to reverse-dependencies, + and not to garbage-collected dependencies. + + 1. Install `gir1.2-packagekitglib-1.0` + 1. In a terminal, run `pkgcli monitor` + 2. In another terminal tab, open a python3 shell and run: + >>> from gi.repository import PackageKitGlib + >>> c = PackageKitGlib.Client() + >>> c.remove_packages(0, ['gnome-core;1:49+10;amd64;'], False, True, None, lambda a,b,c: None, None) + 3. Verify in the `pkgcli monitor` tab that the transaction completed + successfully with gnome-core and its unused dependencies (like gnome-weather) + being removed. + + [ Where problems could occur ] + + The patch affects removal of packages through the PackageKit interface, which is used by graphical package managers like KDE Discover, GNOME Software, Ubuntu App Center, etc... + Problems would manifest when uninstalling packages from those apps.
** Description changed: [ Impact ] - PackageKit on Resolute does not respect the "allow deps=false" flag in a RemovePackages transaction. + PackageKit does not respect the "allow deps=false" flag in a RemovePackages transaction. Thus, uninstalling apps from simple graphical front-ends like the App Center may causes its core reverse-dependencies to be removed as well breaking the system in many cases. There exists a second, but weaker, safety-net implemented in graphical front-ends like the App Center which is to honour a bit of the application's metadata called "compulsory_for_desktop", by which the app itself is asking to be considered part of the core functionality of a certain desktop environment, preventing its removal when running such desktop environment. This is not sufficient since the app itself might now know of which packages are marked as depending it. A stronger and better guarantee is for front-ends to invoke PackageKit with the `allow_deps=false` flag and for PackageKit to correctly honour it denying all transactions that would result in the removal of reverse- dependencies. [ Test Plan ] From an Ubuntu Desktop install, 1. Install the gnome-core metapackage - $ sudo apt install gnome-core --no-install-recommends + $ sudo apt install gnome-core --no-install-recommends 2. Open App Center 3. Search for "Calculator" between Debian packages 4. Select "Calculator" (the gnome calculator) 5. Click Uninstall 6. Verify that the operation gracefully fails, since it would remove the - gnome-core metapackage which was manually installed. + gnome-core metapackage which was manually installed. [ Regression Test Plan - normal uninstall ] We shall still be able to uninstall packages that do not have strong dependencies on them. 1. Open App Center 2. Search for "showtime" between Debian packages 3. Select "Video Player" 4. Click Uninstall 5. Verify that the operation completed successfully [ Regression Test Plan - autoremove ] PackageKit should still allow removing other packages; the allow_deps=false restriction shall only apply to reverse-dependencies, and not to garbage-collected dependencies. 1. Install `gir1.2-packagekitglib-1.0` 1. In a terminal, run `pkgcli monitor` 2. In another terminal tab, open a python3 shell and run: >>> from gi.repository import PackageKitGlib >>> c = PackageKitGlib.Client() >>> c.remove_packages(0, ['gnome-core;1:49+10;amd64;'], False, True, None, lambda a,b,c: None, None) 3. Verify in the `pkgcli monitor` tab that the transaction completed - successfully with gnome-core and its unused dependencies (like gnome-weather) - being removed. + successfully with gnome-core and its unused dependencies (like gnome-weather) + being removed. [ Where problems could occur ] The patch affects removal of packages through the PackageKit interface, which is used by graphical package managers like KDE Discover, GNOME Software, Ubuntu App Center, etc... Problems would manifest when uninstalling packages from those apps. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148474 Title: PackageKit ignores "allow_deps=false" for a RemovePackages transaction on Resolute To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/2148474/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
