On Mon, Oct 12, 2009 at 03:22:55PM +0000, Sylvain Le Gall wrote: > I think it is a bit dangerous to have libX-ocaml v1.2 fullfill the > dependencies of libX-ocaml-dev v1.3 if there is nothing detectable in > the ABI checksum. I think we all agree on this point. However, as far as I understand the current implementation, the case in which "there is nothing detectable in the ABI checksum" can never happen in practice. Theoretically, we do have packages on which *by only looking at their content* we can't devise an ABI checksum. It is the case for packages shipping only dll stubs (e.g. libpcre-ocaml). They do have an implicit signature (corresponding to the assumptions they make on OCaml values passed to C code and back), but they are not inspectable with any of our inspection tools [1]. In practice however, dh_ocaml computes a single ABI checksum for all binary packages of a given source package and use that checksum for the Provides of all binary packages. So, even packages containing only C stubs have their checksum. So you don't have anything detectable only for source packages where no binary contain a single OCaml-related object. In essence: you never have that. At present, I can't find any single case in which using the new mechanism open the flank to more risks than the old one. (Sure, I'm blindly trusting the checksums here, but quick computations done by Stephane show that we have a probability of collision of about 1.6e-8, the probability of a dumb upstream author of releasing a new C library breaking ABI without bumping the soname is waaaay higher than that :-)) Cheers. [1] Actually, this is rather interesting. I'm surprised that upstream has never thought about this: it would be terribly useful to store in some part of the .so a checksum which is verified at runtime before loading the .so. I guess there is a technical reason for not having done that, but I can't find exactly which at the moment. -- Stefano Zacchiroli -o- PhD in Computer Science \ PostDoc @ Univ. Paris 7 zack@{upsilon.cc,pps.jussieu.fr,debian.org} -<>- http://upsilon.cc/zack/ Dietro un grande uomo c'è ..| . |. Et ne m'en veux pas si je te tutoie sempre uno zaino ...........| ..: |.... Je dis tu à tous ceux que j'aime
Attachment:
signature.asc
Description: Digital signature