Sorry for posting from phone. I hope it's not too unreadable. I'm a bit ill from travel.
Source: apt
Version: 2.5.4
Severity: serious
On 2023-05-04 11:17:50 +0200, Helmut Grohne wrote:
> Hi release team,
>
> Andreas Beckmann does wonderful QA work and recently figured that some
> packages use deluser during purge (e.g. #1035494 and #1035495). deluser
> is shipped with adduser and adduser used to be practically essential,
> becaue apt used to depend on it, but that dependency was removed on my
> request. Now apt never was essential to begin with, but having a Debian
> installation without apt is a relatively rare thing. So while this was
> theoretically buggy at all times, it is now practically observable.
The current list of relevant bug reports is:
#1034758 x2goserver-common x2goserver-common: fails to purge - command (deluser|delgroup) in postrm not found
#1035291 desktop-autoloader desktop-autoloader: fails to purge - command (deluser|adduser) in postrm not found 2023-04-30
#1035292 debian-edu-fai debian-edu-fai: fails to purge - command (deluser|adduser) in postrm not found 2023-04-30
#1035435 webdis webdis: fails to purge - command (deluser|adduser) in postrm not found
Those bugs might be fixable, but is this list complete?
And then there's that:
> Even if we fix these bugs in the packages, people may still upgrade
> their systems and remove them rather than upgrading. Then, once the
> upgrade is finished (and adduser is removed), they may consider purging
> them and boom things go bad without any way of us fixing those packages.
>
> So fixing these bugs (and probably not removing users in purge) is the
> way to go, but this also raises the question of whether we want to limit
> the possible damage in trixie by making adduser temporarily essential
> for trixie. What do you think?
I suppose you meant s/trixie/bookworm/. We are very late in the release
cycle, so dear apt maintainers, please re-instante the dependency on
adduser for bookworm. Once bookworm is released, removing adduser from
the pseudo-essential set can be revisited.
I don't have a problem pushing a 2.6.1 out with this in the coming days. Is this the best solution though - maybe setting Essential on adduser might be easier and formally fix the issue for now.
With such a change I would have expected upgrade/piuparts tests from
bullseye to bookworm that tried to remove adduser a various stages and
check for the fallout. Given that Andreas is only doing them now, that's
too late for changes to the pseudo-essential set.
We generally do not expect stuff to depend on apt. This seems to be a gap in piuparts, that it has apt installed while testing packages.
Cheers
> Of course, I really like small essential and want it gone, but we need
> to balance that with possible breakage.
>
> I think this primarily is a decision that belongs to the release
> managers with the default choice being "do nothing about it".
>
> Helmut
>
--
Sebastian Ramacher