[CentOS-devel] Packages dropping out of modules

Fri Feb 14 14:04:14 UTC 2020
Paul Clifford <paul.clifford at gmail.com>

Earlier this month this was a report that softhsm was available but not 
installable in CentOS 8 due to a "No available modular metadata for 
modular package" error.  The solution was to enable the idm:DL1 module, 
but my understanding is that modular packages shouldn't be visible while 
their modules are disabled (this seems to be the behaviour in RHEL 8).

Looking in 
http://mirror.centos.org/centos/8/AppStream/x86_64/os/Packages/ there 
are two versions of softhsm in the AppStream repository:
* softhsm-2.4.0-2.module_el8.1.0+253+3b90c921.x86_64.rpm
* softhsm-2.4.0-2.module_el8.1.0+265+e1e65be4.x86_64.rpm

The repository's modules.yaml file only describes one version of the 
module, idm:DL1:8010020200121181805:4a0acb9a:x86_64, which owns the 
newer package.  When idm:DL1 is enabled this masks the older softhsm 
version but when it's disabled (the default) the newer package is 
removed from view, and with no repository metadata to indicate that the 
older softhsm is part of a module it effectively becomes an ordinary 
member of the AppStream repository.

So "dnf install softhsm" offers two different package versions based on 
whether or not idm:DL1 is enabled, instead of failing with "Error: 
Unable to find a match" when the module is disabled.

You can see a similar thing with the go-toolset module.  It's enabled by 
default and disabling it should hide all of its packages.  Instead, 
because a second version has been published (see the two versions of 
go-toolset, golang, etc at the earlier URL), disabling go-toolset makes 
the previous versions of all the packages appear as ordinary members of 
the AppStream repository.

I found https://bugs.centos.org/view.php?id=16808 from around the time 
of the 8.0 release querying the lack of older version data, and have 
commented on it, but I wanted to confirm that I haven't misunderstood 
the expected behaviour.  For example, if nodejs:12 receives an update 
and the earlier package versions drop out into the main AppStream 
repository it seems that this might cause conflicts for someone 
installing nodejs from a third party repository, even if they've 
disabled nodejs:12.