pin packages to specific versions

[millerthegorilla]

Hi, I am using silverblue with podman, which I am currently using daily for development, but intend to use permanently in production. However, the last podman release was broken, and I have been unable to use the updated podman until a fix is released. (containers/podman#9532)
This has left me unable to update and in just over a week I have been left with many security updates as well as other updates needing to be installed, but if I install them, then I lose podman.
So, as a feature request, I am hoping there is someway to pin a package to a specific version. Perhaps there is already some way of achieving this, although I was informed on the podman page, that the last good working version has been removed from the repositories, so building a custom tree might be difficult, assuming such a thing is possible.
I have already pinned the commit with the working version so that I don't lose it, but like I say, whilst I can work on that commit, I working in a compromised environment without the updates.
Here is the list of updates that I am currently missing, note the security advisories. This is within one week of a non functioning podman.
AvailableUpdate:
Version: 33.20210304.0 (2021-03-04T19:55:19Z)
Commit: 5619b8d88d7b1100724ab7cd81c2b8f7ba0278021f12c1597b7281ffd15aaf4c
GPGSignature: 1 signature
Signature made Thu 04 Mar 2021 19:55:27 GMT using RSA key ID 49FD77499570FF31
Good signature from "Fedora fedora-33-primary@fedoraproject.org"
SecAdvisories: FEDORA-2021-20b9876f11 Unknown rygel-0.40.1-1.fc33.x86_64
FEDORA-2021-b1843407ca Moderate python-unversioned-command-3.9.2-1.fc33.noarch
FEDORA-2021-b1843407ca Moderate python3-3.9.2-1.fc33.x86_64
FEDORA-2021-b1843407ca Moderate python3-libs-3.9.2-1.fc33.x86_64
CVE-2021-23336 python: Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a semicolon in query parameters
https://bugzilla.redhat.com/show_bug.cgi?id=1928904
FEDORA-2021-fb466fb623 Moderate buildah-1.19.6-2.fc33.x86_64
FEDORA-2021-fb466fb623 Moderate containernetworking-plugins-0.9.1-2.fc33.x86_64
FEDORA-2021-fb466fb623 Moderate containers-common-4:1-4.fc33.noarch
FEDORA-2021-fb466fb623 Moderate podman-2:3.0.1-1.fc33.x86_64
FEDORA-2021-fb466fb623 Moderate podman-plugins-2:3.0.1-1.fc33.x86_64
FEDORA-2021-fb466fb623 Moderate skopeo-1:1.2.2-1.fc33.x86_64
CVE-2021-20206 containernetworking-cni: Arbitrary path injection via type field in CNI configuration
https://bugzilla.redhat.com/show_bug.cgi?id=1919391
FEDORA-2021-28f97e232d Important bind-libs-32:9.11.28-1.fc33.x86_64
FEDORA-2021-28f97e232d Important bind-libs-lite-32:9.11.28-1.fc33.x86_64
FEDORA-2021-28f97e232d Important bind-license-32:9.11.28-1.fc33.noarch
FEDORA-2021-28f97e232d Important bind-utils-32:9.11.28-1.fc33.x86_64
CVE-2020-8625 bind: Buffer overflow in the SPNEGO implementation affecting GSSAPI security policy negotiation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1929965
FEDORA-2021-3430f96019 Important wpa_supplicant-1:2.9-8.fc33.x86_64
CVE-2021-27803 wpa_supplicant: wpa_supplicant P2P provision discovery processing vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1933361
Upgraded: bind-libs 32:9.11.27-1.fc33 -> 32:9.11.28-1.fc33
bind-libs-lite 32:9.11.27-1.fc33 -> 32:9.11.28-1.fc33
bind-license 32:9.11.27-1.fc33 -> 32:9.11.28-1.fc33
bind-utils 32:9.11.27-1.fc33 -> 32:9.11.28-1.fc33
bluez 5.55-1.fc33 -> 5.56-1.fc33
bluez-cups 5.55-1.fc33 -> 5.56-1.fc33
bluez-libs 5.55-1.fc33 -> 5.56-1.fc33
bluez-obexd 5.55-1.fc33 -> 5.56-1.fc33
buildah 1.18.0-1.fc33 -> 1.19.6-2.fc33
containernetworking-plugins 0.9.0-1.fc33 -> 0.9.1-2.fc33
containers-common 1:1.2.0-13.fc33 -> 4:1-4.fc33
crun 0.17-1.fc33 -> 0.18-1.fc33
dnsmasq 2.83-1.fc33 -> 2.84-1.fc33
firefox 85.0.1-1.fc33 -> 86.0-7.fc33
flatpak-builder 1.0.10-2.fc33 -> 1.0.12-1.fc33
fwupd 1.5.5-1.fc33 -> 1.5.7-1.fc33
fwupd-plugin-flashrom 1.5.5-1.fc33 -> 1.5.7-1.fc33
fwupd-plugin-modem-manager 1.5.5-1.fc33 -> 1.5.7-1.fc33
gjs 1.66.2-2.fc33 -> 1.66.2-3.fc33
gnome-getting-started-docs 3.38.0-1.fc33 -> 3.38.1-1.fc33
gnome-initial-setup 3.38.3-1.fc33 -> 3.38.4-1.fc33
google-cloud-sdk 329.0.0-1 -> 330.0.0-1
gtk-update-icon-cache 3.24.25-2.fc33 -> 3.24.26-1.fc33
gtk3 3.24.25-2.fc33 -> 3.24.26-1.fc33
gtkmm30 3.24.3-1.fc33 -> 3.24.4-1.fc33
hplip 3.20.11-5.fc33 -> 3.21.2-1.fc33
hplip-common 3.20.11-5.fc33 -> 3.21.2-1.fc33
hplip-libs 3.20.11-5.fc33 -> 3.21.2-1.fc33
hwdata 0.344-1.fc33 -> 0.345-1.fc33
ibus-typing-booster 2.10.4-1.fc33 -> 2.10.5-1.fc33
kernel 5.10.17-200.fc33 -> 5.10.19-200.fc33
kernel-core 5.10.17-200.fc33 -> 5.10.19-200.fc33
kernel-devel 5.10.17-200.fc33 -> 5.10.19-200.fc33
kernel-modules 5.10.17-200.fc33 -> 5.10.19-200.fc33
kernel-modules-extra 5.10.17-200.fc33 -> 5.10.19-200.fc33
libdnf 0.55.2-1.fc33 -> 0.58.0-1.fc33
liberation-fonts-common 1:2.1.0-2.fc33 -> 1:2.1.3-1.fc33
liberation-mono-fonts 1:2.1.0-2.fc33 -> 1:2.1.3-1.fc33
liberation-sans-fonts 1:2.1.0-2.fc33 -> 1:2.1.3-1.fc33
liberation-serif-fonts 1:2.1.0-2.fc33 -> 1:2.1.3-1.fc33
libnfsidmap 1:2.5.2-1.rc4.fc33 -> 1:2.5.3-0.fc33
libsane-hpaio 3.20.11-5.fc33 -> 3.21.2-1.fc33
libsndfile 1.0.28-13.fc33 -> 1.0.31-3.fc33
mesa-dri-drivers 20.3.4-1.fc33 -> 20.3.4-2.fc33
mesa-filesystem 20.3.4-1.fc33 -> 20.3.4-2.fc33
mesa-libEGL 20.3.4-1.fc33 -> 20.3.4-2.fc33
mesa-libGL 20.3.4-1.fc33 -> 20.3.4-2.fc33
mesa-libgbm 20.3.4-1.fc33 -> 20.3.4-2.fc33
mesa-libglapi 20.3.4-1.fc33 -> 20.3.4-2.fc33
mesa-libxatracker 20.3.4-1.fc33 -> 20.3.4-2.fc33
mesa-vulkan-drivers 20.3.4-1.fc33 -> 20.3.4-2.fc33
mozjs78 78.7.0-1.fc33 -> 78.8.0-2.fc33
nfs-utils 1:2.5.2-1.rc4.fc33 -> 1:2.5.3-0.fc33
nss 3.60.1-1.fc33 -> 3.62.0-1.fc33
nss-softokn 3.60.1-1.fc33 -> 3.62.0-1.fc33
nss-softokn-freebl 3.60.1-1.fc33 -> 3.62.0-1.fc33
nss-sysinit 3.60.1-1.fc33 -> 3.62.0-1.fc33
nss-util 3.60.1-1.fc33 -> 3.62.0-1.fc33
osinfo-db 20210202-1.fc33 -> 20210215-1.fc33
pcsc-lite 1.9.0-2.fc33 -> 1.9.1-1.fc33
pcsc-lite-libs 1.9.0-2.fc33 -> 1.9.1-1.fc33
pipewire 0.3.21-2.fc33 -> 0.3.22-4.fc33
pipewire-gstreamer 0.3.21-2.fc33 -> 0.3.22-4.fc33
pipewire-libs 0.3.21-2.fc33 -> 0.3.22-4.fc33
podman 2:2.2.1-1.fc33 -> 2:3.0.1-1.fc33
podman-plugins 2:2.2.1-1.fc33 -> 2:3.0.1-1.fc33
python-unversioned-command 3.9.1-2.fc33 -> 3.9.2-1.fc33
python3 3.9.1-2.fc33 -> 3.9.2-1.fc33
python3-libs 3.9.1-2.fc33 -> 3.9.2-1.fc33
rpm-ostree 2021.1-4.fc33 -> 2021.2-2.fc33
rpm-ostree-libs 2021.1-4.fc33 -> 2021.2-2.fc33
rygel 0.40.0-1.fc33 -> 0.40.1-1.fc33
sane-backends 1.0.31-3.fc33 -> 1.0.32-2.fc33
sane-backends-drivers-cameras 1.0.31-3.fc33 -> 1.0.32-2.fc33
sane-backends-drivers-scanners 1.0.31-3.fc33 -> 1.0.32-2.fc33
sane-backends-libs 1.0.31-3.fc33 -> 1.0.32-2.fc33
selinux-policy 3.14.6-34.fc33 -> 3.14.6-35.fc33
selinux-policy-targeted 3.14.6-34.fc33 -> 3.14.6-35.fc33
skopeo 1:1.2.0-13.fc33 -> 1:1.2.2-1.fc33
toolbox 0.0.99-1.fc33 -> 0.0.99.1-1.fc33
vim-minimal 2:8.2.2529-1.fc33 -> 2:8.2.2559-1.fc33
wpa_supplicant 1:2.9-7.fc33 -> 1:2.9-8.fc33

[millerthegorilla]

apparently its going to be another week before podman will start working again.

[jlebon]

You can do rpm-ostree override replace https://koji.fedoraproject.org/koji/buildinfo?buildID=1656464.

[millerthegorilla]

That's great thanks. I ran rpm-ostree update, and then the command you posted, rpm-ostree override...
The new version of Podman is going to be released next week, when it is, is there an rpm-ostree command to return the podman package back to normal, ie 'unpin' it?

[jlebon]

Yes, rpm-ostree override reset podman podman-plugins.

[millerthegorilla]

Wow. Thanks for that. I wonder if it might be possible to put an example in the man page? Is koji the only place to go for package versions?
In any case I'll close this issue now. Many thanks.

[millerthegorilla]

It seems that there are more recent updates at koji : https://koji.fedoraproject.org/koji/packageinfo?packageID=26289
Yet I am stuck with podman 3.0.1 which doesn't work. I have run the override replace command detailed above, and the working 2.2.1 has been replaced with the unfunctional 3.0.1. Should I not be getting a later version, from koji, automatically?
Or am I waiting for a new official release of podman to occur? And can install temporarily a working dev 3.1.1 version from koji?

Many thanks for any help in advance...

@jlebon
So, I tried upgrading to the 3.1.1 f33 rc, by running the command

rpm-ostree override reset podman podman-plugins

, and after rebooting, running the command

rpm-ostree override replace https://koji.fedoraproject.org/koji/buildinfo?buildID=1720774.

Afterwards, the podman was still unfunctional, with a server reset when connecting to a forwarded port. So I reset the package running the command

rpm-ostree override reset podman podman-plugins

and then ran the command :

rpm-ostree override replace https://koji.fedoraproject.org/koji/buildinfo?buildID=1656464

but I got the following error:

error: Override already exists for package 'podman-remote-2:2.2.1-1.fc33.x86_64'

Any help appreciated, as I need to get back to a working podman, preferably without resetting my base.

[jlebon]

The RPMs you override replace are "sticky". They're not automatically upgraded, but stay pinned at the version you chose (there's an RFE to support repo overrides: see coreos/rpm-ostree#1265 and coreos/rpm-ostree#2326). To unstick them, you can override reset to go back to the base version. Or if you'd like to pin to a new version, you can override reset -a first, and then override replace $new_build.

[millerthegorilla]

Thankyou very much for that. I was having to reset the whole tree to install the new version. I have found it difficult to find extensive documentation on the use of rpm-ostree and the ostree command.