John Downey | 19 Oct 20:43 2012

Re: Apt package provider and --force-yes

I think that may be a different problem. Downgrading packages is not supported in apt[1]: "Downgrading is not officially supported by the Debian by design." The recommended path is to remove the old package and install the downgraded package in its place. What the force option does instead is tell apt to ignore all dependency checks and proceed with the install without prompting. Since this option is so dangerous it seems like it should not be used by any form of automation system.

As it exists, if the --force-yes option is removed it would warn you that the package that is installed is not what you specified. I feel this is the behavior I would expect from the ensure => "version string" option.

[1] http://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_emergency_downgrading

On Tuesday, October 16, 2012 5:08:11 PM UTC-5, Andy Parker wrote:
On Tue, Oct 16, 2012 at 1:24 PM, John Downey
<john.... <at> getbraintree.com> wrote:
> Puppeteers,
>
> I've been using the Debian apt provider for package to help ensure a
> specific version of a package is installed such as:
>
> package { "rsyslog": ensure => "5.8.11-1.1" }
>
> However this appears[1] to add --force-yes to the apt command line in
> addition to specifying the exact version requirement. The --force-yes option
> is considered a dangerous option per the debian manual:
>

The --force-yes was added as part of being able to downgrade packages
(https://projects.puppetlabs.com/issues/1999) when the version number
specified forces that.

This may be overkill for what it was trying to achieve. Is there a
safer way of doing this?

> --force-yes
>            Force yes; This is a dangerous option that will cause apt to
> continue without prompting if it is doing something potentially harmful. It
> should not be used except in very special situations. Using force-yes can
> potentially destroy your system! Configuration Item: APT::Get::force-yes.
>
> Is there a reason puppet shouldn't use another option to explicitly add
> --force-yes? Since this option essentially tells apt to ignore everything it
> knows, I've run into cases where this can cause package dependencies to
> become broken without it being obvious. The force flag is not necessary for
> explicitly setting a version number, so it seems like a dangerous option is
> not needed for this use case. Ideally there would be a force option to
> Package that could set this flag to disregard dependencies.
>
> [1]
> https://github.com/puppetlabs/puppet/blob/master/lib/puppet/provider/package/apt.rb#L57-65
>
> -John
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Developers" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/puppet-dev/-/mN-SAGSjpnwJ.
> To post to this group, send email to puppe... <at> googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-dev+... <at> googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-dev?hl=en.

--
You received this message because you are subscribed to the Google Groups "Puppet Developers" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-dev/-/OGu7n3QdhgAJ.
To post to this group, send email to puppet-dev <at> googlegroups.com.
To unsubscribe from this group, send email to puppet-dev+unsubscribe <at> googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.

Gmane