Incomplete snapd updates

alexsec · October 12, 2025, 9:21pm

Hi,

Since snapd-selinux-2.71-1.22.noarch, except for version 2.71-1.23, the following error appears every time a snapd and snapd-selinux update is available for openSUSE Tumbleweed in the snappy repo.

Problem: 1: nothing provides 'selinux-policy >= 20251009-1.1' needed by the to be installed snapd-selinux-2.71-1.26.noarch
 Solution 1: deinstallation of snapd-selinux-2.71-1.24.noarch
 Solution 2: keep obsolete snapd-selinux-2.71-1.24.noarch
 Solution 3: break snapd-selinux-2.71-1.26.noarch by ignoring some of its dependencies

It seems that the policy file is not updated as well and we’re forced to select option 2 and keep the obsolete version.

I have already posted a similar message on snapcraft forum but I haven’t received any answer yet.

Thank you.

Sauerland · October 12, 2025, 9:38pm

Do you use the snappy Repo?
Post
zypper lr -d

mhurron · October 12, 2025, 9:40pm

20251009 hasn’t been released in a snapshot. You will have to wait.

alexsec · October 12, 2025, 10:01pm

@Sauerland as I have already written in my post, I do. As a matter of fact, I’m getting a new snapd update from snappy on a daily basis. I really wonder why. I don’t think the developers make changes daily. Another system I use that is running Xubuntu, doesn’t receive snapd updates so often.

alexsec · October 12, 2025, 10:06pm

@mhurron The problem is that if this file is not updated in sync with snapd and snapd-selinux I get the same error almost every day.

Sauerland · October 12, 2025, 10:26pm

And why not posting your Repo list?

snapd is on Release 1.27 and not 1.26 as in your post.

alexsec · October 12, 2025, 10:36pm

@Sauerland because I’m using the phone right now. I’m not on the computer. I know about the version. I wrote the message yesterday and pasted it here today. I got the same error today with 1.27.

mhurron · October 12, 2025, 11:01pm

“Every day” since when? Hyperbole doesn’t help anyone.

It is clearly building against upstream repos and not released versions of the selinux-policy package. There hasn’t been a release since the 7th so ya, I bet it hasn’t worked for about 5 days now.

But even then, if it’s tracking the upstream repo this will happen regularly, because there is a lag between when upstream updates, that update is accepted, put through openQA and then released. You have to accept that when you enable other repos.

arvidjaar · October 13, 2025, 4:36am

If you know everything, why do you even ask? The package from the system:snappy does not have this dependency:

bor@bor-Latitude-E5450:~/tmp$ curl -LO https://download.opensuse.org/repositories/system:/snappy/openSUSE_Tumbleweed/noarch/snapd-selinux-2.71-1.27.noarch.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 34857  100 34857    0     0    98k      0 --:--:-- --:--:-- --:--:--   98k
bor@bor-Latitude-E5450:~/tmp$ rpm -q --requires -p snapd-selinux-2.71-1.27.noarch.rpm 
warning: snapd-selinux-2.71-1.27.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID ed340235: NOKEY
/bin/sh
/bin/sh
/bin/sh
/bin/sh
/bin/sh
libselinux-utils
policycoreutils
policycoreutils-python-utils
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(PayloadIsZstd) <= 5.4.18-1
selinux-policy >= 20251008-2.1
selinux-policy-base >= 20251008-2.1
snapd
bor@bor-Latitude-E5450:~/tmp$

alexsec · October 13, 2025, 5:05am

@arvidjaar I know the newer version was 1.27. That’s what I meant. I just didn’t paste today’s error message. I pasted yesterday’s message. The day before yesterday it was 1.25. I’m facing this thing every day since version 1.22.

The message is specific and the correct policy file is missing the same way it was missing yesterday and the day before. If you want, I can paste the new messages every time thay appear.

This issue never happened before version 1.22.

Sauerland · October 13, 2025, 8:28am

https://bugzilla.suse.com/show_bug.cgi?id=1251907

arvidjaar · October 13, 2025, 8:34am

Something very strange happens in OBS. The snapd for Tumbleweed is built against Tumbleweed version of the selinux-policy. In the log it can be clearly seen:

...
[    8s] [242/248] cumulate selinux-policy-20251006-1.1
...
[  328s] Processing files: snapd-selinux-2.71-1.27.noarch
[  328s] Provides: snapd-selinux = 2.71-1.27
[  328s] Requires(interp): /bin/sh /bin/sh /bin/sh /bin/sh /bin/sh
[  328s] Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1
[  328s] Requires(pre): /bin/sh
[  328s] Requires(post): /bin/sh libselinux-utils policycoreutils policycoreutils-python-utils selinux-policy-base >= 20251006-1.1

but looking at the downloaded package, it suddenly requires the selinux-policy 20251008 which is only available in Factory, not in Tumbleweed.

andrei@tumbleweed:~> rpm -qf /usr/lib/rpm/macros.d/macros.selinux-policy
selinux-policy-20251006-1.1.noarch
andrei@tumbleweed:~> rpm -q --requires -p snapd-selinux-2.71-1.27.noarch.rpm | grep selinux
warning: snapd-selinux-2.71-1.27.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID ed340235: NOKEY
libselinux-utils
selinux-policy >= 20251008-2.1
selinux-policy-base >= 20251008-2.1
andrei@tumbleweed:~>

It looks almost as if OBS mixed up builds for Tumbleweed and Factory.

That is beyond my OBS-fu. It needs proper bug report.

arvidjaar · October 13, 2025, 11:14am

There is some hope that it is fixed.

https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/message/L7UCMPXQKGW4OG6TZMNHZYC2KUUUU5GR/

alexsec · October 13, 2025, 9:03pm

@arvidjaar @Sauerland @mhurron

I got the following responses in the snapcraft forum:

"It’s a known problem that cannot be resolved until snapd enters Factory. The Tumbleweed repositories are built agains openSUSE_Factory, which is what the next snapshot of TW will be. However, there are no repositories of the current snapshot of TW that OBS can use for the build. That’s because the current snapshot had already been published and is de-facto done and shipped.

This will auto-resolve in a few days, once subsequent TW snapshots are published."

And this response:

" And per mailing list sugegstion I’ve split out the i586 repository. The problem should be resolved now, please zypper ref && zypper dup again."

The new 1.28 version got installed successfully indeed.

Thank you very much.

jsulig · October 14, 2025, 1:13am

openSUSE:Tumbleweed project on OBS downloads the packages of the current snapshots.
This can been seen from its repositories:

It mentions directories on downloadcontent.opensuse.org, which gives a 403 error when being accessed from a browser.
But the top page of https://downloadcontent.opensuse.org implies that the contents are the same on https://download.opensuse.org

The flow of packages here is:
download server → openSUSE:Tumbleweed/dod → openSUSE:Tumbleweed/standard → system:snappy/openSUSE_Tumbleweed

The issue here is different architecures don’t publish snapshots at the same time.
I see now system:snappy/openSUSE_Tumbleweed has x86_64 and aarch64. They both get selinux-policy-20251006-1.1 because both have no snapshot published after selinux-policy updated to 20251008.
https://factory-dashboard.opensuse.org/
If one of them publishes a snapshot now while the other doesn’t, the architecture with no snapshot published will have this problem again.

arvidjaar · October 14, 2025, 7:07am

Then they must be split into different repositories to avoid any confusion.

jsulig · October 14, 2025, 10:28am

I agree with you.

system · November 13, 2025, 10:29am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.