fix(dnfcache): switch module filter from allowlist to denylist

Rocky/RHEL 8.10 ships the perl:5.26 default-stream modulemd document
with an empty artifacts list, while the actual default-stream .module+
RPMs (perl-interpreter, perl-libs, ...) are still present in
primary.xml. The allowlist approach over-filtered and dropped them
entirely — dnf install perl-interpreter returned unresolved.

Switch the filter semantics: instead of allowing only NVRAs in the
default stream's artifacts list, block NVRAs that appear in *non-default*
streams' artifacts. Default-stream RPMs (whether listed or not) and
unknown modular RPMs pass through, matching dnf install behavior without
explicit dnf module enable.

Author: M0Rf30

pkg/dnfcache/dnfcache.go

@@ -277,13 +277,9 @@ func (c *Cache) isBlockedByModuleFilter(p *PackageInfo) bool {
 		return false
 	}
 
-	if _, hasDefault := c.modules.defaultStream[p.Name]; !hasDefault {
-		return false
-	}
-
 	nvra := packageNVRA(p.Name, p.Epoch, p.Version, p.Release, p.Arch)
 
-	return !c.modules.allowedNVRA[nvra]
+	return c.modules.blockedNVRA[nvra]
 }
 
 // pickProvider chooses the best concrete provider from a list, preferring

pkg/dnfcache/modules.go

@@ -36,14 +36,21 @@ import (
 // moduleIndex holds the parsed module-defaults and the allowed NVRAs.
 // Empty index = no filtering (non-modular repos).
 type moduleIndex struct {
-	defaultStream map[string]string // module -> stream
-	allowedNVRA   map[string]bool   // NVRA strings from default streams
+	defaultStream map[string]string // module -> default stream
+	// blockedNVRA: NVRAs that belong to a *non-default* stream of a module
+	// that has a default. These packages are filtered out (matching `dnf
+	// install` without explicit `dnf module enable`). NVRAs absent from
+	// this set are allowed, including default-stream NVRAs and modular
+	// packages whose default stream lists no artifacts (e.g. Rocky 8.10
+	// perl:5.26 where the default-stream doc has an empty artifacts list
+	// but the .module+el8 RPMs still ship in AppStream repodata).
+	blockedNVRA map[string]bool
 }
 
 func newModuleIndex() *moduleIndex {
 	return &moduleIndex{
 		defaultStream: make(map[string]string),
-		allowedNVRA:   make(map[string]bool),
+		blockedNVRA:   make(map[string]bool),
 	}
 }
 
@@ -115,12 +122,28 @@ func parseModulesYAML(r io.Reader, idx *moduleIndex) {
 		}
 	}
 
-	// Pass 2: keep only rpms from the default stream of each module.
-	for module, stream := range idx.defaultStream {
-		key := module + ":" + stream
+	buildBlockedNVRA(idx, streamRPMs)
+}
 
-		for _, nvra := range streamRPMs[key] {
-			idx.allowedNVRA[nvra] = true
+// buildBlockedNVRA fills idx.blockedNVRA with NVRAs from NON-default streams
+// of each module. Denylist (not allowlist) because some Rocky/RHEL 8 minor
+// releases (e.g. 8.10) ship the default-stream modulemd document with an
+// empty artifacts list while the default-stream `.module+` RPMs still live
+// in primary.xml — an allowlist would over-filter and drop them entirely
+// (e.g. perl-interpreter on Rocky 8.10).
+func buildBlockedNVRA(idx *moduleIndex, streamRPMs map[string][]string) {
+	for module, defaultStream := range idx.defaultStream {
+		prefix := module + ":"
+		defaultKey := prefix + defaultStream
+
+		for key, rpms := range streamRPMs {
+			if !strings.HasPrefix(key, prefix) || key == defaultKey {
+				continue
+			}
+
+			for _, nvra := range rpms {
+				idx.blockedNVRA[nvra] = true
+			}
 		}
 	}
 }
@@ -245,7 +268,7 @@ func loadModuleIndex() *moduleIndex {
 		logger.Info("dnfcache: module index loaded",
 			"files", len(files),
 			"defaults", len(idx.defaultStream),
-			"allowed_nvra", len(idx.allowedNVRA))
+			"blocked_nvra", len(idx.blockedNVRA))
 	}
 
 	return idx

pkg/dnfcache/modules_test.go

@@ -95,12 +95,12 @@ data:
 		t.Errorf("default stream perl=%q want 5.26", got)
 	}
 
-	if !idx.allowedNVRA["perl-0:5.26.3-419.module+el8.5.0+728+2c8a1bd2.x86_64"] {
-		t.Errorf("expected perl-5.26 NVRA in allowed set")
+	if idx.blockedNVRA["perl-0:5.26.3-419.module+el8.5.0+728+2c8a1bd2.x86_64"] {
+		t.Errorf("perl-5.26 (default stream) NVRA must NOT be blocked")
 	}
 
-	if idx.allowedNVRA["perl-0:5.24.4-404.module+el8.6.0+882+2fa1e48f.x86_64"] {
-		t.Errorf("perl-5.24 NVRA must NOT be in allowed set")
+	if !idx.blockedNVRA["perl-0:5.24.4-404.module+el8.6.0+882+2fa1e48f.x86_64"] {
+		t.Errorf("expected perl-5.24 (non-default stream) NVRA to be blocked")
 	}
 }
 
@@ -126,9 +126,9 @@ func TestParseModulesFileRocky8(t *testing.T) {
 	}
 
 	// The 5.24 perl NVRA from the failing build must NOT be allowed.
-	bad := "perl-0:5.24.4-404.module+el8.6.0+882+2fa1e48f.x86_64"
-	if idx.allowedNVRA[bad] {
-		t.Errorf("perl-5.24 NVRA must NOT be allowed: %s", bad)
+	bad := "perl-4:5.24.4-404.module+el8.6.0+882+2fa1e48f.x86_64"
+	if !idx.blockedNVRA[bad] {
+		t.Errorf("perl-5.24 NVRA must be blocked: %s", bad)
 	}
 
 	// All non-default perl-libs NVRAs (5.24, 5.30, 5.32) must be blocked.
@@ -140,10 +140,10 @@ func TestParseModulesFileRocky8(t *testing.T) {
 		"perl-libs-4:5.30.1-452.module+el8.6.0+878+f93dfff7.x86_64",
 		"perl-libs-4:5.32.1-473.module+el8.10.0+1616+0d20cc68.x86_64",
 	} {
-		if idx.allowedNVRA[bad] {
-			t.Errorf("non-default perl-libs NVRA must NOT be allowed: %s", bad)
+		if !idx.blockedNVRA[bad] {
+			t.Errorf("non-default perl-libs NVRA must be blocked: %s", bad)
 		}
 	}
 
-	t.Logf("defaults=%d allowed_nvra=%d", len(idx.defaultStream), len(idx.allowedNVRA))
+	t.Logf("defaults=%d blocked_nvra=%d", len(idx.defaultStream), len(idx.blockedNVRA))
 }