Bug#1050001: Unwinding directory aliasing

To: 1050001@bugs.debian.org
Cc: Simon McVittie <smcv@debian.org>
Subject: Bug#1050001: Unwinding directory aliasing
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Wed, 23 Aug 2023 18:49:26 +0100
Message-id: <[🔎] 25830.18086.611475.544048@chiark.greenend.org.uk>
Reply-to: Ian Jackson <ijackson@chiark.greenend.org.uk>, 1050001@bugs.debian.org
In-reply-to: <[🔎] 25830.11796.730075.169031@chiark.greenend.org.uk>
References: <[🔎] 25823.5706.112593.999861@chiark.greenend.org.uk> <[🔎] ZN90pNtyJxSWqx0y@tautology.pseudorandom.co.uk> <[🔎] 25830.11796.730075.169031@chiark.greenend.org.uk> <[🔎] 25823.5706.112593.999861@chiark.greenend.org.uk>

Also, one other thing I noticed:

tl;dr: *no* version of usrmerge relieves us of the obligation of
naming files correctly, via the proper name in /usr rather than /.

Ian Jackson writes ("Bug#1050001: Unwinding directory aliasing"):
> The current plan, as I understand it, is that we will fix these
> problems by arranging to *always* name files by their canonical paths,
> ie the ones in /usr.
> 
> Naming files by their canonical names will have to be done everywhere.
> This is because any time a file is named by a non-canonical path, a
> program that tries to manipulate that file might malfunction.
> (Whether it malfunctions in practice depends on the precise details
> and gets very complicated.)
...

But Simon writes:
> > This does some but not all of what merged-/usr does: calling /usr/bin/sh
> > would become a non-bug, but calling /bin/env would still be an error,
> > /bin would still represent non-trivial on-disk and/or in-dpkg-database
> > state,

This suggests that a goal of the project is to "make it not be a bug
to refer to a file in /usr/bin by its name in /bin".

However, in the aliased-usrmerge such an incorrect reference *remains*
a bug (unless it can be demonstrated that the reference is only
read-only and no-one will take that path and use it in a non-read-only
context).

It's just that the consequences of the bug are different.

Without usrmerge, or with un-aliased-usrmerge for a file where there
is no compat symlink, the reseult is a "file not found" error.  No
references via that path can work.  (Except maybe transitionally,
while the file is moving.)  Such a bug is not likely to survive long.

With un-aliased usrmerge for files which still have compat symlinks
(eventually, a handful of files considered quite special), using the
reference for mutation might result in breaking the symbolic link; or
it might result in errors from filename lookups in package management
databasesa, where the filename would be not recorded in / or not
recorded as a file.  Broken symlinks could be detected post-hoc on the
affected system, and it could be detected simply and automatically by
QA tooling.  But, this is a good reason to try to reduce the number of
compat symlinks to a very small number.

With aliased usrmerge, for all files forever, using the path in /
might result in confusing behaviour by package management and system
administration tooling.  Reasoning about the consequences is
difficult, but in the worst case it might render the affected
subsystem totally broken.

Ian.

-- 
Ian Jackson <ijackson@chiark.greenend.org.uk>   These opinions are my own.  

Pronouns: they/he.  If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

Reply to:

References:
- Bug#1050001: Unwinding the directory aliasing mistake
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Bug#1050001: Unwinding directory aliasing
  - From: Simon McVittie <smcv@debian.org>
- Bug#1050001: Unwinding directory aliasing
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

Prev by Date: Bug#1050001: Unwinding directory aliasing
Next by Date: Bug#1050001: Unwinding directory aliasing
Previous by thread: Bug#1050001: Unwinding directory aliasing
Next by thread: Bug#1050001: Unwinding directory aliasing
Index(es):
- Date
- Thread