Hi! This is an update on dpkg development, with general updates, and a broad summary of new features (mostly interface additions; see the man pages for further information), user visible or very significant changes since the last announce [A] covering the dpkg 1.16.x series. [A] <https://lists.debian.org/debian-devel-announce/2015/03/msg00011.html> General News ============ * Raphaël Hertzog has stepped down as maintainer. * The debsig-verify and dpkg-repack packages have been taken over under the “Dpkg Developers” umbrella, to be hopefully assimilated into dpkg proper in the future. * The wiki [W] has been revamped; there's a FAQ [F] now too, and pages listing source [S] and binary [B] package format support, among others. [W] <https://wiki.debian.org/Teams/Dpkg> [F] <https://wiki.debian.org/Teams/Dpkg/FAQ> [S] <https://wiki.debian.org/Teams/Dpkg/DscSupport> [B] <https://wiki.debian.org/Teams/Dpkg/DebSupport> * Commit message mailing list back alive: email@example.com The list has been silent (due a change in the commit notification scripts not matching the list setup) for the duration of the 1.17.x series, it should be now back to normal. I'm undecided if bouncing missing mails would be useful, as it's unlikely anyone would go through the flood? Please let me know. Alternatively you can also subscribe for VCS updates through the PTS/tracker. * Branches now named after the series versions. For downstream distributors it's not always easy to know which Debian release matches what dpkg series, so now the branches are named based on the series versions, backward compatibility refs have been created. The new names are 1.13.x (etch), 1.14.x (lenny), 1.15.x (squeeze), 1.16.x (wheezy) and 1.17.x (jessie). * Porting system access or automated builds sought. Portability in dpkg is very important, to be able to support downstreams and people who use it on other systems, or even package it in other (non-GNU/Linux) distributions. But for many such systems I'm currently porting purely through documentation. And as such, subsequent build and run-time issues are clearly reactive, but I'd like to switch to a more proactive model. So I'd very much appreciate if either interested parties could provide access to such systems, or setup some kind of continuous integration system from git. I'm thinking specifically of systems such as non-glibc based Linux, FreeBSD, NetBSD, OpenBSD, Minix, Solaris, Mac OS X, HP-UX and AIX. 1.17.x (Debian Jessie) ====== General ------- * Many memory and file descriptor leaks, out-of-bounds, non-security sensitive TOCTOU races, and use-after-free fixes. * Many error messages have been improved. * Major formatting and text organization cleanup of man pages. * All databases with user data are now backed up by the dpkg cron job. * Some non-controversial changes have been merged that remove unreproducibility from the source and binary packages build process. * Add support for versioned Provides [!]: - Packages can provide a specific version, “virtual (= 1.0)” which will be honored, previously it would just be accepted when parsing. - Non-versioned virtual packages will not satisfy versioned dependencies. - Versioned virtual packages will satisfy non-versioned dependencies. * Switch the dpkg files database string hashing function from what appears to be a custom hash function to the libdpkg FNV-1a implementation. * Double the dpkg files database hash table size to the closest 2^18 prime. * Improved test suite setup and coverage [C] (although dpkg-test.git does not yet have a coverage report). [C] <https://dpkg.alioth.debian.org/coverage/> Portability ----------- * Improvements to the dpkg build system: - Check availability of warning flags at build time. - Support non-GCC compilers by default. - Allow to override the run-time GNU tar binary to use, at build time. * Do not assume sensible-editor is present in «dpkg-source --commit». * Use makedev(3) when extracting .deb archives rather than ad-hoc computations, to be able to support large major/minor device numbers, supported on at least Linux, NetBSD and OpenBSD based systems. * Fixes for Mac OS X, BSD, Android and uclibc based systems, to reduce the delta they are carrying. Changes in dpkg.deb ~~~~~~~~~~~~~~~~~~~ Architectures ------------- * Bump GNU triplets: any-i386 now maps to i586-*-gnu. * New CPUs: any-or1k, any-mips64, any-mips64el, any-powerpcel, any-ppc64el. * New GNU/Linux systems: mipsn32 and mipsn32el. * Remove GNU/Linux systems: lpia. * New Linux systems: musl-linux-any. * New BSD systems: dragonflybsd-any. * Drop the archtable file, it was Debian-archive specific and serves no purpose anymore. Triggers -------- * Activate file triggers on removal and disappearance more accurately, only when we know we are inevitably removing things. * Add support for new «interest-await» and «activate-await» trigger directives. * The recently introduced deferred trigger processing when packages do not fulfill dependencies has been disabled (only in the 1.17.x series) as it was still giving upgrade problems so close to the Debian release. dpkg-deb -------- * New --ctrl-tarfile command. * More strict checking of non-conformant .deb archives. * New --deb-format option that replaces the --new and --old options. * Switch default compressor from gzip to xz. (Downstreams can select a different default at dpkg build time using --with-dpkg-deb-compressor.) * Deprecate bzip2 as a compressor. * Add support for gzip compression strategies («filtered», «huffman», «rle» and «fixed»). * Add support for .deb archives with a control member not compressed (control.tar) or compressed with xz (control.tar.xz). * Add support for uniformly compressed .deb archive members, with new --uniform-compression option (this might become the default in 1.18.x). * Change «-Zgzip -z0» to generate non-compressed members (instead of uncompressed members with a .gz extension), as documented. * Reset environment variables affecting compressor commands when not using the shared library implementations. Namely XZ_DEFAULTS, XZ_OPT, BZIP and BZIP2. * Change --field to use libdpkg's deb822 parser. * Change conffile name length warning into an error, as dpkg will reject those packages at install time anyway. * Remove arbitrary filename limits from dpkg-deb when processing .deb archive contents. * Do not warn anymore on user-defined field names. dpkg-query ---------- * Correctly support multibyte strings on --list output, fixing unaligned columns and multiple mojibake issues. * New virtual fields db:Status-Want, db:Status-Status and db:Status-Eflag. dpkg-trigger ------------ * New --await option (which was and is currently the default). dpkg-maintscript-helper ----------------------- * Change default implicit package name arguments to be arch-qualified, which works better for Multi-Arch:same packages, but can cause problems for non-Multi-Arch:same ones. * New dir_to_symlink and symlink_to_dir commands. dpkg ---- * Improve SE Linux support: - The label database is reloaded if it changes during a package upgrade. - Maintainer scripts get their own «dpkg_script_t» execution context. * Installation, removal and purging now always reset the want status, so this now resets the holds. * Control file parser is more strict and does not allow several broken constructs or operations, like: - Empty field names. - Fields starting with a hyphen (which do not mix well with OpenPGP signatures). - Matching partial field names. * On removal, check Depends and Pre-Depends fields for packages in unpacked and half-configured states too. * Support a read-only root directory with a read-write overlay or a symlink farm, by not removing it or its backups. * Remove arbitrary package conflictor limits (was 20, now “unlimited”). * Try to preallocate disk size for extracted files on unpack. This should help avoid filesystem fragmentation and possibly improve performance on “new” filesystems. * Improvements to the progress reporting messages. - Now all progress messages always print the package versions. - Now the “Preparing to unpack” and “Unpacking …” messages are symmetric. * Pass DPKG_MAINTSCRIPT_PACKAGE_REFCOUNT to maintainer scripts. * Change directory to «/» before executing maintainer scripts. * Add invoke hooks for dpkg --add-architecture and --remove-architecture. * New --assert-versioned-provides command. * New --verify command, and --verify-format option, with ‘rpm’ as the only current value supported, but the default might change in the future. * Change --audit command to allow per-package checks. * Change --update-avail and --merge-avail commands to allow getting Packages-files from standard input if the argument is omitted or is ‘-’. * Make --set-selections warn that it needs an up-to-date «available» database when it gets passed unknown packages. * Do not write to the «available» database anymore during unpack. install-info ------------ * Remove this transitional wrapper. Systems should have been switched to the GNU install-info package implementation by now. update-alternatives ------------------- * More strict parsing of command-line arguments (e.g. fatal errors on out of range priorities). * Use the current alternative link as the first best value to avoid flip-flops of alternatives with equal priority. start-stop-daemon ----------------- * New --pid and --ppid match options. * New --remove-pidfile option. * Use /proc/PID/status instead of /proc/PID/stat when using Linux procfs. * Do not require /proc to be mounted on kFreeBSD systems, as linprocfs is not the native procfs on kFreeBSD, and programs on FreeBSD do not expect any procfs to be present anyway. * Use a native kFreeBSD sysctl(3) method instead of using KVM to check for the executable. * Add support for DragonFlyBSD. Changes in dselect.deb ~~~~~~~~~~~~~~~~~~~~~~ * New architecture columns in package list view. The new columns, shown by default, can be turned off with the new ‘A’ key, or bound to another key via the new “archdisplay” keybinding. Changes in libdpkg-perl.deb ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Perl Modules ------------ * Drop obsolete DM-Upload-Allowed support. * Warn on usage of deprecated Source-Version substvar. * Add support for GnuPG 2.x, gpg2/gpgv2 are preferred if installed, otherwise gpg and gpgv are used instead. * Deprecate lowercase and exported by default variables from all modules. * All public modules (ones with a version >= 1.0 in the CHANGES section) are documented now. Private modules that have documentation should have a version 0.xx in the CHANGES section. * If a vendor does not have a Dpkg::Vendor module, try loading one of its ancestors, before falling back to Dpkg::Vendor::Default. Changes in dpkg-dev.deb ~~~~~~~~~~~~~~~~~~~~~~~ General ------- * Now -O option in dpkg-genchanges, dpkg-gensymbols and dpkg-shlibdeps always takes an optional filename argument. * New -g and -G build type options, and only one different build type option is allowed now in dpkg-genchanges and dpkg-buildpackage. Build Profiles -------------- This [P] will allow to conditionally restrict build-time dependencies and build parameters, with expressiveness similar to Gentoo USE flags. [P] <https://wiki.debian.org/BuildProfileSpec> * Add support for build-time restriction formulas in dependencies enclosed in “<>”, as a disjunctive normal form expression: “pkgname (>= version) [arch-list] <foo> <bar baz> <!blub>”. * New -P option in dpkg-checkbuilddeps and dpkg-buildpackage. * Add support for DEB_BUILD_PROFILES environment variable. * New Built-For-Profiles output field in .deb and .changes files. dpkg-architecture ----------------- * Add support for cross-compiler target system information via the new DEB_TARGET_ family of variables, and new -A and -T options to override defaulting to the host system. * Add architecture restriction options for -L command. This allows to select specific subsets of all valid known architectures, matching by wildcard (-W), endianness (-E) or bits (-B). The restricting options can be combined, or omitted altogether. * Now has saner command-line parsing so that «--option=value», «--option value», «-ovalue» and «-o value» will all be accepted. * Add long option names for all short options. dpkg-source ----------- * Change default source package compressor for new formats (>= 2.0) to xz. * Source package building is more strict for 3.0 formats, the version has to match the format (native vs non-native). * Source package parsing is more strict, disallowing several attack vectors, this might break packages with bogus patches. * Use «tar --format=gnu» when creating source archives. * New --ignore-bad-version extraction option. * Add --build and --extract command aliases (to the existing -b and -x). * Allow detached upstream signatures for upstream orig.tar files in the .dsc file. * Add support for Testsuite source field (it is added automatically to .dsc if missing from debian/control and a debian/test/control is found). dpkg-parsechangelog ------------------- * New --show-field option. * Add support for reading from standard input when using «-l-». * Add support for parsing compressed changelog files. dpkg-shlibdeps -------------- * New -l option to replace having to abuse LD_LIBRARY_PATH to pass build-time paths. * Honor Build-Depends-Arch for minimal version checks. dpkg-gensymbols --------------- * Add support for Ignore-Blacklist-Groups field in symbols files, with the two available group values «aeabi» and «gomp». * Turn the ARM Embedded ABI symbols blacklist into a regex, to stop having to keep up with the GNU toolchain, or other toolchains emitting different symbols. * Blacklist GOMP critical section symbols. dpkg-gencontrol --------------- * Warn when using the deprecated -is/-ip/-isp/-ips options. dpkg-genchanges --------------- * Add Architecture and Build-Profiles information to Package-List field, as key-value entries. dpkg-buildflags --------------- * Rename --export «configure» argument to «cmdline» (but preserve «configure» as a legacy alias). * Mask «fortify» hardening option from output on «noopt» (glibc 2.16 and later issue a warning on this condition). * Add support for «pie» and «stackprotector» to FFLAGS. * Add support for GCJFLAGS, FCFLAGS, OBJCFLAGS and OBJCXXFLAGS build flags. * Add support for new hardening feature «stackprotectorstrong». * Add support for new qa feature area, with features «bug» and «canary». * Add support for new reproducible feature area, with feature «timeless». dpkg-buildpackage ----------------- * New --force-sign option. * UNRELEASED uploads are not signed by default anymore. * Honour DEB_SIGN_KEYID environment variable. * Move signing to the end of the build. * Detect a missing gain-root-command even if running as root. * Detect a missing sign-command before starting the build, to avoid a failure at the end of the process. * Add shell hooks support, based on the debuild implementation in devscripts 2.13.9. * New --check-command and --check-option options, and use DEB_CHECK_COMMAND environment variable as a default value, to specify a package checker (e.g. lintian) to use before the signing process. * Add support for automatic parallel job selection with «-jauto», matching currently active processors. * New --host-arch, --host-type, --target-arch and --target-type options, which will be passed through to dpkg-architecture. dpkg-scanpackages ----------------- * New --hash option, to enable generating only specific file checksums. 1.18.x (Debian Stretch) ====== It is opening up in experimental or sid soon. Exciting things (at least to people that can get excited by package management stuff :) will be appearing in these series, but I'd rather not give spoilers just yet. I'll also start sending some proposals and RFCs to the debian-devel and/or debian-dpkg mailing lists shortly. Thanks, Guillem -- [!] This one got a 4-digit bug number (#7330)!
Description: Digital signature