Re: Lottery NEW queue (Re: Are libraries with bumped SONAME subject of inspection of ftpmaster or not

To: debian-devel@lists.debian.org
Subject: Re: Lottery NEW queue (Re: Are libraries with bumped SONAME subject of inspection of ftpmaster or not
From: Paul Wise <pabs@debian.org>
Date: Mon, 24 Jan 2022 10:20:48 +0800
Message-id: <[🔎] f737cc08f71765c8f41c325d92003e9b3744db66.camel@debian.org>
In-reply-to: <Ye3Z9Dfk/kFw2N/n@mit.edu>
References: <[🔎] YeqL7XiE1Q9PCzWm@an3as.eu> <[🔎] ae00554c41106cb34b2e5caf0d7468a8d5bffec8.camel@debian.org> <[🔎] YerrECfe1f0Ph8aa@an3as.eu> <[🔎] 3743528.uvq3MHvE0L@localhost> <[🔎] YesBoDr6rCJVAisX@mit.edu> <[🔎] c44b8d27ee616937528c9d4fe03a503466513efc.camel@debian.org> <Ye3Z9Dfk/kFw2N/n@mit.edu>

On Sun, 2022-01-23 at 17:43 -0500, Theodore Y. Ts'o wrote:

> That only works if there are no other packages depending on those
> shared libraries which are coming from other source packages.

I don't think that is true, I believe you can put multiple things in
the depends section of an shlibs file and dpkg-shlibdeps will propagate
that to reverse dependencies just fine. From the manual pages it looks
like the same applies to the symbols files. I found on my system that
there are *already* packages that do something similar (see below).

> But my claim is that if the upstream can't manage to maintain a stable
> ABI, then maybe we shouldn't be trying to ship shared libraries.  But
> officially, that's not allowed, since it's considered bad.

Personally, to detect such upstreams I think Debian needs a service
tracking ABI using abipkgdiff (from abigail-tools) and pkg-abidiff.
Once we have that it isn't too much more work for Debian to maintain
the SONAME instead of upstream.

> If we have that solution for Rust and Golang, the maybe it can also
> make life easier for upstreams that can't maintain an ABI.

I initially mainly wanted it for static linking detection, I expect
there is some of that (at least in -static packages) in Debian and that
we are not thinking to rebuild such packages after security issues.

Packages that have complex dependencies in shlibs/symbols files:

$ grep -h '^lib.*,' /var/lib/dpkg/info/*.shlibs
libbfd 2.37.50-multiarch.20220106 binutils-multiarch (>= 2.37.50.20220106), binutils-multiarch (<< 2.37.50.20220107)
libopcodes 2.37.50-multiarch.20220106 binutils-multiarch (>= 2.37.50.20220106), binutils-multiarch (<< 2.37.50.20220107)
libbctoolbox 1 libbctoolbox1 (>= 4.4.0), libbctoolbox1 (<< 4.5.0)
libbellesip 1 libbellesip1 (>= 4.4.0), libbellesip1 (<< 4.5.0)
libbfd 2.37.50-system.20220106 libbinutils (>= 2.37.50.20220106), libbinutils (<< 2.37.50.20220107)
libopcodes 2.37.50-system.20220106 libbinutils (>= 2.37.50.20220106), libbinutils (<< 2.37.50.20220107)
libboost_python39 1.74.0 libboost-python1.74.0 (>= 1.74.0), libboost-python1.74.0-py39
libeabutil 0 libevolution (>= 3.42.3), libevolution (<< 3.43)
libeabwidgets 0 libevolution (>= 3.42.3), libevolution (<< 3.43)
libecontacteditor 0 libevolution (>= 3.42.3), libevolution (<< 3.43)
libecontactlisteditor 0 libevolution (>= 3.42.3), libevolution (<< 3.43)
libecontactprint 0 libevolution (>= 3.42.3), libevolution (<< 3.43)
libemail-engine 0 libevolution (>= 3.42.3), libevolution (<< 3.43)
libessmime 0 libevolution (>= 3.42.3), libevolution (<< 3.43)
libevolution-addressbook-importers 0 libevolution (>= 3.42.3), libevolution (<< 3.43)
libevolution-calendar-importers 0 libevolution (>= 3.42.3), libevolution (<< 3.43)
libevolution-calendar 0 libevolution (>= 3.42.3), libevolution (<< 3.43)
libevolution-mail-composer 0 libevolution (>= 3.42.3), libevolution (<< 3.43)
libevolution-mail-formatter 0 libevolution (>= 3.42.3), libevolution (<< 3.43)
libevolution-mail-importers 0 libevolution (>= 3.42.3), libevolution (<< 3.43)
libevolution-mail 0 libevolution (>= 3.42.3), libevolution (<< 3.43)
libevolution-shell 0 libevolution (>= 3.42.3), libevolution (<< 3.43)
libevolution-smime 0 libevolution (>= 3.42.3), libevolution (<< 3.43)
libevolution-util 0 libevolution (>= 3.42.3), libevolution (<< 3.43)
libgnomecanvas 0 libevolution (>= 3.42.3), libevolution (<< 3.43)
libgconf-2 4 libgconf-2-4 (>= 2.31.1), gconf-service
libgnustep-base 1.28 libgnustep-base1.28 (>= 1.28.0), gnustep-base-runtime (>= 1.28.0)
libortp 15 libortp15 (>= 1:4.4.0), libortp15 (<< 1:4.5.0)
libphonon4qt5 4 libphonon4qt5-4 (>= 4:4.11.1), phonon4qt5
libtotem 0 libtotem0 (>= 3.38.2-1), libtotem0 (<< 3.39)

$ grep -h ',.*<<' /var/lib/dpkg/info/*.symbols
| libc6 (>> 2.33), libc6 (<< 2.34)
| libc6 (>> 2.33), libc6 (<< 2.34)
| libc6 (>> 2.33), libc6 (<< 2.34)
| libc6 (>> 2.33), libc6 (<< 2.34)
| libc6 (>> 2.33), libc6 (<< 2.34)
| libc6 (>> 2.33), libc6 (<< 2.34)
| libc6 (>> 2.33), libc6 (<< 2.34)
| libc6 (>> 2.33), libc6 (<< 2.34)
| libc6 (>> 2.33), libc6 (<< 2.34)
| libc6 (>> 2.33), libc6 (<< 2.34)
| libc6 (>> 2.33), libc6 (<< 2.34)
| libc6 (>> 2.33), libc6 (<< 2.34)
| libc6 (>> 2.33), libc6 (<< 2.34)
| libc6 (>> 2.33), libc6 (<< 2.34)
| libc6 (>> 2.33), libc6 (<< 2.34)
| libc6 (>> 2.33), libc6 (<< 2.34)
| libc6 (>> 2.33), libc6 (<< 2.34)
| libc6 (>> 2.33), libc6 (<< 2.34)
| libc6 (>> 2.33), libc6 (<< 2.34)
| libc6 (>> 2.33), libc6 (<< 2.34)
| libc6-i386 (>> 2.33), libc6-i386 (<< 2.34)
| libc6-i386 (>> 2.33), libc6-i386 (<< 2.34)
| libc6-i386 (>> 2.33), libc6-i386 (<< 2.34)
| libc6-i386 (>> 2.33), libc6-i386 (<< 2.34)
| libc6-i386 (>> 2.33), libc6-i386 (<< 2.34)
| libc6-i386 (>> 2.33), libc6-i386 (<< 2.34)
| libc6-i386 (>> 2.33), libc6-i386 (<< 2.34)
| libc6-i386 (>> 2.33), libc6-i386 (<< 2.34)
| libc6-i386 (>> 2.33), libc6-i386 (<< 2.34)
| libc6-i386 (>> 2.33), libc6-i386 (<< 2.34)
| libc6-i386 (>> 2.33), libc6-i386 (<< 2.34)
| libc6-i386 (>> 2.33), libc6-i386 (<< 2.34)
| libc6-i386 (>> 2.33), libc6-i386 (<< 2.34)
| libc6-i386 (>> 2.33), libc6-i386 (<< 2.34)
| libc6-i386 (>> 2.33), libc6-i386 (<< 2.34)
| libc6-i386 (>> 2.33), libc6-i386 (<< 2.34)
| libc6-i386 (>> 2.33), libc6-i386 (<< 2.34)
| libc6-i386 (>> 2.33), libc6-i386 (<< 2.34)
| libc6-i386 (>> 2.33), libc6-i386 (<< 2.34)
| libc6-x32 (>> 2.33), libc6-x32 (<< 2.34)
| libc6-x32 (>> 2.33), libc6-x32 (<< 2.34)
| libc6-x32 (>> 2.33), libc6-x32 (<< 2.34)
| libc6-x32 (>> 2.33), libc6-x32 (<< 2.34)
| libc6-x32 (>> 2.33), libc6-x32 (<< 2.34)
| libc6-x32 (>> 2.33), libc6-x32 (<< 2.34)
| libc6-x32 (>> 2.33), libc6-x32 (<< 2.34)
| libc6-x32 (>> 2.33), libc6-x32 (<< 2.34)
| libc6-x32 (>> 2.33), libc6-x32 (<< 2.34)
| libc6-x32 (>> 2.33), libc6-x32 (<< 2.34)
| libc6-x32 (>> 2.33), libc6-x32 (<< 2.34)
| libc6-x32 (>> 2.33), libc6-x32 (<< 2.34)
| libc6-x32 (>> 2.33), libc6-x32 (<< 2.34)
| libc6-x32 (>> 2.33), libc6-x32 (<< 2.34)
| libc6-x32 (>> 2.33), libc6-x32 (<< 2.34)
| libc6-x32 (>> 2.33), libc6-x32 (<< 2.34)
| libc6-x32 (>> 2.33), libc6-x32 (<< 2.34)
| libc6-x32 (>> 2.33), libc6-x32 (<< 2.34)
| libc6-x32 (>> 2.33), libc6-x32 (<< 2.34)
| libc6-x32 (>> 2.33), libc6-x32 (<< 2.34)
| libncurses5 #MINVER#, libncurses5 (<< 6.4~)
| libncurses5 #MINVER#, libncurses5 (<< 6.4~)
| libncurses5 #MINVER#, libncurses5 (<< 6.4~)
| libncurses5 #MINVER#, libncurses5 (<< 6.4~)
| libncurses6 #MINVER#, libncurses6 (<< 6.4~)
| libncurses6 #MINVER#, libncurses6 (<< 6.4~)
| libncurses6 #MINVER#, libncurses6 (<< 6.4~)
| libncurses6 #MINVER#, libncurses6 (<< 6.4~)
| libncursesw5 #MINVER#, libncursesw5 (<< 6.4~)
| libncursesw5 #MINVER#, libncursesw5 (<< 6.4~)
| libncursesw5 #MINVER#, libncursesw5 (<< 6.4~)
| libncursesw5 #MINVER#, libncursesw5 (<< 6.4~)
| libncursesw6 #MINVER#, libncursesw6 (<< 6.4~)
| libncursesw6 #MINVER#, libncursesw6 (<< 6.4~)
| libncursesw6 #MINVER#, libncursesw6 (<< 6.4~)
| libncursesw6 #MINVER#, libncursesw6 (<< 6.4~)
| libnsl2 (>> 1.3.0), libnsl2 (<< 1.3.1)
| libtinfo5 #MINVER#, libtinfo5 (<< 6.4~)
| libtinfo5 #MINVER#, libtinfo5 (<< 6.4~)
| libtinfo6 #MINVER#, libtinfo6 (<< 6.4~)
| libtinfo6 #MINVER#, libtinfo6 (<< 6.4~)
| libx265-199 (>= 3.5), libx265-199 (<< 3.6)

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Back to the topic of changed binary named (Was: Lottery NEW queue (Re: Are libraries with bumped SONAME subject of inspection of ftpmaster or not))
  - From: Andreas Tille <andreas@an3as.eu>
- Re: Lottery NEW queue (Re: Are libraries with bumped SONAME subject of inspection of ftpmaster or not
  - From: "Theodore Y. Ts'o" <tytso@mit.edu>

References:
- Are libraries with bumped SONAME subject of inspection of ftpmaster or not
  - From: Andreas Tille <andreas@an3as.eu>
- Lottery NEW queue (Re: Are libraries with bumped SONAME subject of inspection of ftpmaster or not
  - From: "M. Zhou" <lumin@debian.org>
- Re: Lottery NEW queue (Re: Are libraries with bumped SONAME subject of inspection of ftpmaster or not
  - From: Andreas Tille <andreas@an3as.eu>
- Re: Lottery NEW queue (Re: Are libraries with bumped SONAME subject of inspection of ftpmaster or not
  - From: Scott Kitterman <debian@kitterman.com>
- Re: Lottery NEW queue (Re: Are libraries with bumped SONAME subject of inspection of ftpmaster or not
  - From: "Theodore Ts'o" <tytso@mit.edu>
- Re: Lottery NEW queue (Re: Are libraries with bumped SONAME subject of inspection of ftpmaster or not
  - From: Paul Wise <pabs@debian.org>
- Re: Lottery NEW queue (Re: Are libraries with bumped SONAME subject of inspection of ftpmaster or not
  - From: "Theodore Y. Ts'o" <tytso@mit.edu>

Prev by Date: Re: Lottery NEW queue (Re: Are libraries with bumped SONAME subject of inspection of ftpmaster or not
Next by Date: Re: The future of src:ntp
Previous by thread: Re: Lottery NEW queue (Re: Are libraries with bumped SONAME subject of inspection of ftpmaster or not
Next by thread: Back to the topic of changed binary named (Was: Lottery NEW queue (Re: Are libraries with bumped SONAME subject of inspection of ftpmaster or not))
Index(es):
- Date
- Thread