Bug#728937: apache2: broken in system upgrade due to mailgraph Recommends leading to tntnet installation
On 2013-11-07 14:20:30 +0100, Arno Töll wrote:
> On 07.11.2013 03:08, Vincent Lefevre wrote:
> > Severity: grave
> > Justification: renders package unusable
>
> Your issue renders the package no way unusable, or "causes data loss, or
> introduces a security hole allowing access to the accounts of users who
> use the package".
It was unusable, as starting apache2 failed. This is quite clear!
Fortunately, I've found the problem quite quickly (about half an
hour), but I was almost about to revert by using the backup. Some
other Ubuntu user had the same problem as me after upgrading his
laptop to Ubuntu 13.10 (I suppose that like for me, apache2 wasn't
installed before the upgrade), and he had a failing web server for
several days until I posted a reply to his message:
http://mail-archives.apache.org/mod_mbox/httpd-users/201311.mbox/%3C1383788580.63411.YahooMailNeo@web120005.mail.ne1.yahoo.com%3E
So, various other users may be affected too, without knowing what
to do.
> In fact, it's not even a bug since you installed a leaf package
> directly which is not meant to be used standalone.
You're wrong. Users are not forced to install metapackages.
I probably did "apt-get install apache2-mpm-itk" to make sure
that this version of the server was installed (something that
"apt-get install apache2" doesn't). It you think that apache2
must have been installed too, then a "Depends: apache2" must
have been added (and "Provides: apache2" should probably have
been removed), or at least a "Recommends: apache2". Note that
apache2-mpm-itk provided httpd, so that there were no reasons
at all to install apache2 *explicitly*.
> > I had the following problem when upgrading Ubuntu from 13.04 to 13.10,
> > and since Debian has more or less the same packages (stable & sid), I
> > think it can be affected too.
>
> Yet this is Debian, and not Ubuntu. I do not doubt your issue is in
> Debian, too but still it would be helpful if you verified your problem
> in Debian when reporting to a Debian bug tracker.
Well, this isn't easy to verify: it would mean that I would have
to install a Debian/stable in a VM (something I've never done)
with apache2-mpm-itk and mailgraph, and upgrade to sid...
> > Installing tntnet as Recommends of mailgraph
> > Installing libcxxtools9 as Depends of tntnet
> > Installing libtntnet11 as Depends of tntnet
> > Installing tntnet-runtime as Recommends of libtntnet11
> >
> > The mailgraph Recommends has in particular: httpd | apache2.
>
> which is perfectly acceptable, since that's precisely what the
> recommends line tells.
The "Recommends:" line is acceptable, but the behavior was not.
> If you believe this is a problem and apache should be pulled
> instead, report a bug against mailgraph.
No! Apache was already installed (with httpd provided by
apache2-mpm-itk, so that this Recommends was satisfied). The
problem is that apt pulled tntnet *in addition* to Apache.
A Recommends on httpd | apache2 | apache2-mpm-worker |
apache2-mpm-prefork | apache2-mpm-event | apache2-mpm-itk might
have solved the problem, but I don't think it is up to mailgraph
to know the internals of Apache packages. It is the job of Apache
packages to make sure that the transition is OK.
> > As
> > the apache2 package wasn't installed on my machine (it is just
> > a metapackage with Apache 2.2, such as in Ubuntu 13.04 and the
> > current Debian stable, so that one can already have an Apache
> > server without this package), this can lead to the installation
> > of another web server such as tntnet via httpd.
>
> You can. But it's not supported. That use case is meant for people
> embedding Apache as embedded server into their binaries, such as
> gnome-user-share. Everyone else is supposed to install apache2.
"Everyone else is supposed to..." without a Depends or Recommends?
That's insane!
Regards,
--
Vincent Lefèvre <vincent@vinc17.net> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Reply to: