On 19.11.21 11:58, Philip Hands wrote:
Ansgar <ansgar@43-1.org> writes:* doing this will, in a non-negligible number of cases, trigger the bug to manifest on systems where that package is upgraded from a version where the move had not taken place to one where it has.Why do you claim that? Given packages already did such moves in the last years and you claim this happens in a non-negligible number of cases, could you please point to some examples where this already happens in practice?My understanding is that in order to trigger this bug you need at least to both move a file from one place to the other, and also to rename the package that contains that file or move ownership to another package. I suspect that you might also need to be unlucky with the order that apt/dpkg decides to do the installation and, depending upon how far apart the move and the rename happens, also unlucky with your choice of from and to versions of the packages in question.
Right. I think it would be immensely useful to have an actual reproducer so one could study the issue more closely or at least a bug report, which describes the issue in more detail, like the exact circumstances when this can happen.
So far this is merely theoretical, right? Or do we have a documented instance of this happening?
Given that these bugs are going to be utter bastards to reproduce, and you can be sure that we'll have enough diversity in installed systems that some people are going to manage to be sufficiently unlucky, it would be nice to know the sort of damage we might expect. It strikes me that we ought to be able to screen our own repos for packages that could be able to tickle this bug. That would give us the chance to look at what sorts of files we might realistically expect to be clobbered, it should give some indication of how many packages we should expect to be able to trigger this, and knowing this might suggest plausible work-arounds. Of course, that doesn't help with packages from third-party repos, including our downstreams, but at present we seem to be discussing this with very little hard data. It occurs to me that one could lose quite a few files on the average Debian install (if they were selected at random) without even noticing,
Shouldn't debsums be able to detect such missing files (at least for the vast majority of packages which ship a md5sums file).
I run that semi-regularly on all of my systems, most of them are /usr-merged and I haven't noticed any missing files yet which I could trace
whereas a very few files would render systems unbootable, so knowing a bit more about which files are realistically at risk would be very helpful in understanding the severity of the problem. If anyone's got good ideas about how to gather this information, I'm very happy to help with the effort to do so.
I'd be more then happy to help here as well. Regards, Michael
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature