On Tue, 31 Jul 2018 04:27:29 +0200 Nicolai Lissner <bugreport@gnuffy.net> wrote: > Dear Debian QA Group, I don't see why you haven't just followed up on the bug #904699 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904699 Assume good faith. The package description covers why it has such a long list: Raw FFI bindings for all of Windows API - Rust source code https://packages.debian.org/unstable/librust-winapi-dev > > a few days ago I reported bug #904699 > as nothing happened since then, I started to hunt down the reason > for this bug, and what I found made me kind of speechless. > > As I expected the reported problem is not in cdebootstrap itself > and not even in debian-installer (it is actually reported > from a d-i library call) but in the package list and metadata instead > I've used snapshot.debian.org to find since when the problem exists, > and found it has been introduced on July 8th. https://tracker.debian.org/news/971710/accepted-rust-winapi-035-1-amd64-source-into-unstable-unstable/ > Looking at the changes I probably found the reason. > > Please have a closer look at the meta data of package > librust-winapi-dev - as this is just wrong. > The package has > Size: 744344 744344 bytes == 726kB > but > Installed-Size: 5839 > How is that even possible? Size: bytes Installed-Size: kilobytes See https://packages.debian.org/unstable/librust-winapi-dev Architecture Package Size Installed Size Files amd64 726.9 kB 5,839.0 kB [list of files] > > But it's worse, the package has a Provides: line > and quotes 1336(!) packages making that single > line more than 57 kByte length. Yes. seriously. But no, that's > insane. It's very long, yes. However, if it causes problems then it is up to the tools to adapt. There's nothing in Policy to put a maximum limit and the package was accepted by ftp-master with this list in the source package. Seeing as only certain tools have problems with the length then it would make sense that the problem is fixed in those tools, not by retrospective changes in Policy after the package has been accepted and migrated into buster. I don't use rust, I've only looked at it briefly some months back, but this does look like some of the issues reported with how rust handles dependencies. Similar things happen in the nodeJS space. There are plenty of people who don't like this kind of behaviour, plenty of developers consider it to be unpalatable or a reason not to use those languages. However, there is no reason to lay accusations of malice. > > It breaks debian-installer (you can't install testing or sid > with it right now) and it breaks cdebootstrap - and most probably > any other package that uses d-i libraries to parse the packagelist debootstrap appears fine. $ sudo debootstrap buster buster .... I: Base system installed successfully. Works fine. > > I'm writing you because to me - and I hope I'm terribly wrong > about this - this looks just like a malicious joke as in "look, > I can break your C code with an extra long line. It wouldn't have > happened if you used rust" - but that's just my mind trying to > find an explanation why somebody would define a >57kB line in > the package metadata. Opinions will vary but principally, that is how to express the full API which this package is trying to do. In some ways, if this one package can integrate all of those packages into itself, it is doing Rust a favour. There are other oddities in the package, e.g. it depends on both i686 and x86_64 packages which do not (yet?) exist and is built for architectures like arm64 and s390x where it seems unlikely that windows code would exist. I don't know enough about Rust to know whether those are actual problems. > > And as I just want to avoid some unnecessary fighting or insulting > or anything similar I thought it would be best to contact a third > party to have a look at this issue > > I'm not sure you are the right group to contact about this, but I'm > sure if you are not you can redirect it to whereever it should go. > You need to feed back to the cdebootstrap bug, in good faith, and go from there. Forget about "malice" and just deal with the problem at hand: As Policy is currently, cdebootstrap is failing to handle a valid Packages.gz file when other tools, like debootstrap and the archive tools themselves, do not have issues. That is a bug in the tool, not the package providing the long list. -- Neil Williams home@codehelp.co.uk
Attachment:
pgpZfqW82Vx7X.pgp
Description: OpenPGP digital signature