From 3d75a220a693eb8489d0e4c57c82628a158c2c20 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Tue, 4 Nov 2025 15:39:07 +0100 Subject: [PATCH] dom0-updates: disarm protected packages in updatevm DNF in updatevm doesn't have full knowledge to properly evaluate protected packages - especially it doesn't have full config, but also older DNF version (like in Debian / Whonix) may have different defaults. This for example leads to R4.2->R4.3 upgrade issue, when `dnf` removal is refused, while it should be allowed (as part of migration to `dnf5`). Fix this by setting empty list of protected packages. Dom0's DNF will enforce protected packages on its own. https://github.com/QubesOS/qubes-issues/issues/10256#issuecomment-3361998598 https://forum.qubes-os.org/t/qubes-dist-upgrade-script-error-4-3-rc-2/36435 --- package-managers/qubes-download-dom0-updates.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/package-managers/qubes-download-dom0-updates.sh b/package-managers/qubes-download-dom0-updates.sh index d843c188c..6dfe8c252 100755 --- a/package-managers/qubes-download-dom0-updates.sh +++ b/package-managers/qubes-download-dom0-updates.sh @@ -14,6 +14,8 @@ fi # DNF uses /etc/yum.repos.d, even when --installroot is specified OPTS+=("--setopt=reposdir=$DOM0_UPDATES_DIR/etc/yum.repos.d") OPTS+=("--setopt=cachedir=$DOM0_UPDATES_DIR/var/cache/dnf") +# Disarm protected packages mechanism, let dom0 evaluate it instead +OPTS+=("--setopt=protected_packages=") CLEAN_OPTS=("${OPTS[@]}") # DNF verifies signatures implicitly, but yumdownloader does not. SIGNATURE_REGEX=""