[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

duplicate packages in Sources and Packages files


Ftpmasters have done a change that possibly has very large side effects.
>From d-d-a:
> Tracking arch all packages
> --------------------------
> #246992 asked us to not delete arch all packages before the
> corresponding (if any) arch any packages are available for all
> architectures.  Example: whenever a new source package for emacs23
> gets uploaded the installation of the metapackage emacs_*_all.deb
> breaks on most architectures until the needed Architecture: any
> packages like emacs23 get built by the buildds. That happens because
> dak removes all arch: all packages but the newest one.
> While this behaviour is easily documented and one can easily devise a
> fix ("just keep the arch all until the any is there, stupid"), the
> actual implementation of it contains several nasty corner cases
> which is why it took so long to fix.
> Thankfully Torsten Werner took on this task during the meeting [2] and
> we are now in a position where we can merge his work.  We'll email
> before turning on this feature so that people can watch out of any
> strange cases which could cause problems.

(I can't find the email announcing that it was turned on, but that's
another issue, possibly with my mail handling ;)

The result of that change is that the structure of the Sources and
Packages files have changed: before, there was only one version of each
source or binary package in each suite (unstable, testing, stable). There
can now be several versions of the same source or binary package in the
same suite. As a result, you can now find several stanzas for the same
source package in a Sources file, and several stanzas for the same binary
package in a Packages file.

Really, that's important. If you parse the Sources or the Packages file
somewhere, it is likely that your code is broken.
Example: you want to extract the maintainer for a given source package.
Before: Parse Sources, find the package you are interested in, get the
Now: Parse Sources, find all the versions of the package you are
  interested in, compare their version number to keep the most recent
  one, get the maintainer. (yes, you need code to compare versions,
  or rely on dpkg --compare-versions).

Several tools have been broken by this change. TTBOMK:
Already fixed:
* britney (#559346)
* security tracker
* UDD (partially)
Affected, not fixed yet:
* Packages Tracking System (#560352)
* Developer's Packages Overview (#560352)
* lintian.d.o
* DEHS (#560697, fixed partially)
It is likely that other tools and scripts are affected. And there might
also be some affected packages (debmirror? APT proxies?).

So, where should we go from there? Our options are:
- find & fix all the occurences of the problem ASAP. Please report it
  if you notice strange things about version numbers or other data
  that possibly comes from Sources/Packages.
- ask ftpmasters to revert the change until the squeeze release


Note: for testing, it's easy to get a list of duplicate packages using
-> duplicate sources:
select s1.release, s1.source, s1.version, s2.version
from sources s1, sources s2
where s1.distribution = s2.distribution and s1.release = s2.release
and s1.component = s2.component and s1.source = s2.source
and s1.version < s2.version;
(1204 source packages currently)
-> duplicate binary packages:
select p1.release, p1.package, p1.version, p2.version
from packages p1, packages p2
where p1.distribution = p2.distribution and p1.release = p2.release
and p1.component = p2.component and p1.architecture = p2.architecture
and p1.package = p2.package and p1.version < p2.version;
(506 binary packages currently)

- Lucas

Reply to: