[BUG] dnf5 installs packages it should download

[Ofenhed]

Description
There was a breaking change in #64675:salt/modules/yumpkg.py#L1711-R1719 that made it so that pkg.downloaded silently converts to pkg.installed.

This is a very big issue for use cases such as VM:s with a common base image, where packages untrusted for certain domains are still downloaded for all domains and installed in the VM only when needed. This could include packages with automatically executing services, or packages containing files with permission attributes or suid flags set.

As far as I can tell, dnf5 still supports --downloadonly (but has issues with dnf -C install, so it has greatly reduced its functionality). Unless there is some interoperability issues with other arguments, I suggest that the change to how --downloadonly is handled is reverted.

[user@disp3441 ~]$ dnf5 install --help
Usage:
  dnf5 [GLOBAL OPTIONS] install [OPTIONS] [ARGUMENTS] 
                                   
Options:                           
  --allowerasing                   Allow removing of installed packages to resol
                                   ve problems
  --skip-broken                    Allow resolving of depsolve problems by skipp
                                   ing packages
  --skip-unavailable               Allow skipping unavailable packages
  --allow-downgrade                Allow downgrade of dependencies for resolve o
                                   f requested operation
  --no-allow-downgrade             Disable downgrade of dependencies for resolve
                                    of requested operation
  --downloadonly                   Only download packages for a transaction
  --offline                        Store the transaction to be performed offline
  --advisories=ADVISORY_NAME,...   Limit to packages in advisories with specifie
                                   d name. List option.
  --advisory-severities=ADVISORY_  Limit to packages in advisories with specifie
  VERITY,...                       d severity. List option. Can be "critical", "
                                   important", "moderate", "low", "none".
  --bzs=BUGZILLA_ID,...            Limit to packages in advisories that fix a Bu
                                   gzilla ID, Eg. 123123. List option.
  --cves=CVE_ID,...                Limit to packages in advisories that fix a CV
                                   E (Common Vulnerabilities and Exposures) ID, 
                                   Eg. CVE-2201-0123. List option.
  --security                       Limit to packages in security advisories.
  --bugfix                         Limit to packages in bugfix advisories.
  --enhancement                    Limit to packages in enhancement advisories.
  --newpackage                     Limit to packages in newpackage advisories.
  --store=STORED_TRANSACTION_PATH  Store the current transaction in a directory 
                                   at the specified path instead of running it.
  --advisory=ADVISORY_NAME,...     Alias for 
--advisories
  --bz=BUGZILLA_ID,...             Alias for --bzs
  --cve=CVE_ID,...                 Alias for --cves
                                   
Arguments:                         
  specs                            List of <package-spec>|@<group-spec>|@<enviro
                                   nment-spec> to install

Setup

• VM (Qubes TemplateVM)

Steps to Reproduce the behavior
Create a list of packages to download, e.g.:

Programs that include suid binaries or automatically start services:
  pkg.downloaded:
    - pkgs:
      - chromium
      - fuse

Expected behavior
Those packages are downloaded to the dnf cache, or an error is thrown if that transaction fails.

Actual behavior
Those packages are installed.

Versions Report

salt-minion --verions-report

Python Version:
        Python: 3.13.2 (main, Feb  4 2025, 00:00:00) [GCC 14.2.1 20250110 (Red Hat 14.2.1-7)]
 
Dependency Versions:
          cffi: 1.17.0
      cherrypy: 18.10.0
      dateutil: 2.8.2
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 3.1.5
       libgit2: Not Installed
  looseversion: 1.3.0
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.0.6
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     packaging: 24.2
     pycparser: 2.20
      pycrypto: Not Installed
  pycryptodome: 3.21.0
        pygit2: Not Installed
  python-gnupg: 0.5.0
        PyYAML: 6.0.1
         PyZMQ: 25.1.2
        relenv: Not Installed
         smmap: Not Installed
       timelib: 0.3.0
       Tornado: 6.3.3
           ZMQ: 4.3.5
 
Salt Package Information:
  Package Type: Not Installed
 
System Versions:
          dist: fedora 41 
        locale: utf-8
       machine: x86_64
       release: 6.6.77-1.qubes.fc37.x86_64
        system: Linux
       version: Fedora Linux 41 

dnf5 --version

dnf5 version 5.2.10.0
dnf5 plugin API version 2.0
libdnf5 version 5.2.10.0
libdnf5 plugin API version 2.1

Loaded dnf5 plugins:
  name: builddep
  version: 1.0.0
  API version: 2.0

  name: changelog
  version: 1.0.0
  API version: 2.0

  name: config-manager
  version: 0.1.0
  API version: 2.0

  name: copr
  version: 0.1.0
  API version: 2.0

  name: needs_restarting
  version: 1.0.0
  API version: 2.0

  name: repoclosure
  version: 1.0.0
  API version: 2.0

  name: reposync
  version: 1.0.0
  API version: 2.0

[welcome]

Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey.
Please be sure to review our Code of Conduct. Also, check out some of our community resources including:

• Salt’s Contributor Guide
• Join our Community Discord
• Salt Project YouTube channel
• Community Wiki

There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar.
If you have additional questions, email us at [email protected]. We’re glad you’ve joined our community and look forward to doing awesome things with you!

[dmurphy18]

@Ofenhed You need to fill out the template for an issue, specifically version of salt, nothing will be done until the version of Salt is specified and OS, and how the problem can be duplicated, exact commands are welcome, otherwise, a fix for something else found might be made which does not address your issue.

Understand you are probably using Fedora 41, but need it stated, also a Fedora package for Salt, or Salt one-dir architecture etc.

[dmurphy18]

@Ofenhed You stated

As far as I can tell, dnf5 still supports --downloadonly 

I am unable to find support for --downloadonly in the dnf5 --help and dnf5 download --help files. Can you direct me to where support for --downloadonly is stated in dnf5, noting what was implemented was verified by the Fedora Salt maintainer at the time, see #64532 (comment), and PR #64675.

[Ofenhed]

@dmurphy18 I've updated the issue with the requested information.

[dmurphy18]

@Ofenhed Perhaps you misunderstand me, but I could not find the option --downloadonly in dnf5 -- help output.
However I did find rpm-software-management/dnf5#537 where support was desired, and resolved, and the current Fedora 41, dnf5 support has dnf5 install --downloadonly, is this the option you are requesting or is there some other location where this is an option ? Noting Salt is limited to what the version of dnf5 provides.
Also url https://forums.fedoraforum.org/showthread.php?332116-dnf5-has-full-download-support-now!

Looks like dnf5 has been quite altered since 2023, will need to examine other changes made to dnf5 since 2023 for what other additions need to be made / altered, see https://dnf5.readthedocs.io/en/latest/commands/download.8.html

Also the Python version Python: 3.13.2 means that this is not a Salt packaged release for Fedora 41, hence, how was Salt installed, via PyPI or from some Fedora provided package, noting that Salt supports it's own released onedir packages (use Python 3.10 internally), and provided best effort to other means of installation.

There is internal work to support Python versions 3.11, 3.12 and 3.13 but not ready for prime time yet and there are some issues using Salt with these versions of Python, the team is resource limited after the Broadcom acquisition at start of 2024.