Received: from mail-4318.protonmail.ch (mail-4318.protonmail.ch [185.70.43.18]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 4EA98781096 for <~alpine/devel@lists.alpinelinux.org>; Thu, 7 Jul 2022 14:00:56 +0000 (UTC) Date: Thu, 07 Jul 2022 14:00:44 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1657202455; x=1657461655; bh=8+Xcre8cRrVgR2WGD3IImSLaCCqG9NrwCddvpVeD8l4=; h=Date:To:From:Cc:Reply-To:Subject:Message-ID:In-Reply-To: References:Feedback-ID:From:To:Cc:Date:Subject:Reply-To: Feedback-ID:Message-ID; b=BgghQ7Zyv2gnRXuEeBCOY7RgF6YuswmxQkd+6GgmF57k0P5AAGT7ZpbAePKuoVEyt TT7nrrCfqHmkkBqhrI/SANoe/u4m5y5e1BGBLQ5fMaHmbtYDlS6K7CMTXlqDyTQHo9 hKIwClOqDkVFT+fV1A8m/scM7K9eLBlIO5QOSy9a7JNaa7joDznkAAksfp3gboImPk xnV+92V4uZV83D23Vs0Dl/Cq/jCOBDC8jU0d+peunDduCGZFxJay5SBOXTewlG+Uyb 2GuhoqqnrCDDG83y/QUK5aTizlhTri3dfvzdylfwSo9bwtg18MV6romDe+jktL9fr7 2pS4OOKbssYGg== To: alice From: Mogens Jensen Cc: Jakub Jirutka , "~alpine/devel@lists.alpinelinux.org" <~alpine/devel@lists.alpinelinux.org> Reply-To: Mogens Jensen Subject: Re: Downgrading of x264-libs? Message-ID: <2Gz9kaWRrPriapefCumhR6Vh4FjTrs7xRPY8WzqLMdRoi4RW8urp194GwSxentUb9fuivF3iUlr0a2AHkp01SpsrH713sHmSXSHKpLmPt28=@protonmail.com> In-Reply-To: References: <6dfb7ed6-abec-e1e0-e85c-6724efb98f6b@jirutka.cz> <0uFUzhn5PLBzdJI879dbvirqcqxEio66ZZaf_R6rRRvu9Mv3ldQiRaOcIeRS6OqXk8pORvbhAKAjiMHVk1WvHW_wP8UYMAcH7kUMlLT8wDA=@protonmail.com> Feedback-ID: 6903854:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Sorry for any confusion, I will try to explain better and thanks for the effort to help. First an overview of my problem: I maintain 8 Alpine edge workstations in a lab. 7 for students and 1 for instructor. The 7 student systems was updated last time on Jun 30. I don't remember when the instructor system was updated, maybe a few days before Jun 30. On Jul 05 i go to the lab and run "apk update && apk upgrade -v" on the 7 student systems. Everything seems normal. I then do the same on the instructor system, but here I see a "Downgrading" message while x264-libs was updating. However, the messages rolled off the screen before I could read the version numbers. I check the Alpine commit log and see that x264-libs should not have been downgraded recently, and because of paranoid nature, I'm trying to find out what most likely happened. I do understand that nothing was actually downgraded, apk only prints this because of the change in version number scheme as Jakub explained. So "Downgrading" will be shown at the point where x264-libs with old scheme is upgraded to a version with new scheme. However, the scheme was changed on 2022-01-19 so I wonder why the new x264-libs package was first now installed on the instructor system, and why the student systems already had a x264-libs package installed with the new version scheme. Ultimately if there could be something malicious going on. When I write upgrade/update/installed, I mean what happens when running "apk update && apk upgrade -v". On Wednesday, July 6th, 2022 at 1:02 PM, alice wrote: > (and on edge, it's expected people somewhat know what they're doing and > run -a at least sometimes anyway.) Yes, I do run that, mostly at the same time when new stable Alpine versions are released. However, I probably did not do it last time. > > I have tried to manually install x264-libs-20210613-r0.apk on an edge > > system with all repositories enabled, remove the string appended to > > package name in /etc/apk/world and run "apk update && apk upgrade -v". > > The result is that x264-libs is NOT upgraded. Even after running > > "apk add -v --upgrade x264-libs" apk still shows no updates. > > this would not be possible as the package does not exist in any > repository anymore. even if you had it in cache (with a cache enabled) > it would not be present in any APKINDEX (unless you had a 3.15 > repository or somesuch configured, i suppose?), so that simply doesn't > exist. This was an experiment I did on a freshly installed edge system, just to see what would happen if 20210613-r0 was installed on the system while 0.164_git20220602-r0 is available in the repository, to try and simulate the events from the lab. I downloaded the x264-libs-20210613-r0.apk from v3.15 community repository and installed it manually. If just running "apk update && apk upgrade -v" afterwards, then apk will just display this: OK: 186 MiB in 147 packages Of course if I run "apk update && apk upgrade -v -a" then apk will install the newest version: (1/1) Downgrading x264-libs (20210613-r0 -> 0.164_git20220602-r0) But I did not use the -a flag, while updating the instructor system. > > With the following commit, pgrel was set to 1: > > > > community/x264: enable lto > > https://gitlab.alpinelinux.org/alpine/aports/-/commit/eecb4709387b5c56b= 5e4dfc8d28cf4923c754b24 > > > > I know for a fact that this was the version installed on the systems I > > updated yesterday, that did not "downgrade" x264-libs. So maybe last > > time I updated these system, it was in the short window while > > x264-libs-0.163_git20210613-r1.apk was available on the mirror, which > > made apk upgrade from x264-libs-20210613-r0, that's why no "downgrade" > > happened on these yesterday. > > i'm confused what you're saying here. how many upgrades happened and > what versions do you think were between each one? you say 'this' was the > version installed (0.163-r1), but it was 'upgraded from' 20210613, but > then there was more stuff that was the actual 'downgrade' and this > wasn't it. On the 7 student systems I know that on Jul 05 before I started to update the systems, x264-libs-0.163_git20210613-r1 was installed on those, because I first test updates on a virtual machine identical to those systems, and I still had a snapshot of the VM from last time, so I could check what was installed. So on the student systems x264-libs-0.163_git20210613-r1 was installed for some reason. My theory was that the student systems was updated in the short window where x264-libs-0.163_git20210613-r1 was available (0.164_git20220602-r0 was uploaded to repositories on the same day), and because pkgrel was set to 1, the upgrade from x264-libs with old version scheme was initiated at that point in time. The instructor system printed the "Downgrading" message, so therefore the previous version before upgrading the system must have been 20210613-r0. My theory was that because latest ffmpeg-libs and ffmpeg4-libs depends on x264-libs-0.164_git20220602-r0, upgrading those packages would initiate the upgrade of 20210613-r0 on the instructor system. I have made a test that somewhat resembles this: # apk add -v x264-libs-20210613-r0.apk (1/1) Installing x264-libs (20210613-r0) OK: 148 packages, 908 dirs, 10280 files, 190 MiB # apk add -v ffmpeg4-libs [..] (34/39) Installing vulkan-loader (1.3.216.0-r0) (35/39) Downgrading x264-libs (20210613-r0 -> 0.164_git20220602-r0) (36/39) Installing numactl (2.0.14-r0) (37/39) Installing x265-libs (3.5-r3) (38/39) Installing xvidcore (1.3.7-r1) (39/39) Installing ffmpeg4-libs (4.4.2-r2) Above was my try to explain why the student systems could have 0.163_git20210613-r1 installed, but instructor system only had 20210613-r0 and why it was first now updated to latest version. Hope that made more sense. Best regards, Mogens Jensen