dom0-updates: disarm protected packages in updatevm

marmarek · marmarek · commit 3d75a220a693 · 2025-11-05T13:11:44.000+01:00
DNF in updatevm doesn't have full knowledge to properly evaluate protected packages - especially it doesn't have full config, but also older DNF version (like in Debian / Whonix) may have different defaults. This for example leads to R4.2->R4.3 upgrade issue, when `dnf` removal is refused, while it should be allowed (as part of migration to `dnf5`). Fix this by setting empty list of protected packages. Dom0's DNF will enforce protected packages on its own. QubesOS/qubes-issues#10256 (comment) https://forum.qubes-os.org/t/qubes-dist-upgrade-script-error-4-3-rc-2/36435
diff --git a/package-managers/qubes-download-dom0-updates.sh b/package-managers/qubes-download-dom0-updates.sh
@@ -14,6 +14,8 @@ fi
 # DNF uses /etc/yum.repos.d, even when --installroot is specified
 OPTS+=("--setopt=reposdir=$DOM0_UPDATES_DIR/etc/yum.repos.d")
 OPTS+=("--setopt=cachedir=$DOM0_UPDATES_DIR/var/cache/dnf")
+# Disarm protected packages mechanism, let dom0 evaluate it instead
+OPTS+=("--setopt=protected_packages=")
 CLEAN_OPTS=("${OPTS[@]}")
 # DNF verifies signatures implicitly, but yumdownloader does not.
 SIGNATURE_REGEX=""
