Bug#991156: unblock: config-package-dev/5.6 [pre-approval]
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: config-package-dev@mit.edu
Hi release team,
This is a pre-approval request to get a sense of your willingness to
unblock config-package-dev to handle usrmerge/dpkg issues.
[ Reason ]
config-package-dev is a Debhelper (and CDBS) add-on for writing packages
that use dpkg-divert to customize other packages' behavior. (The target
audience is people customizing Debian for a university/company/etc. or
preparing derivatives. Notable public users include Debathena and Whonix.
That is, config-package-dev is a leaf package in the Debian archive, with
no build-rdeps.)
As noted on https://wiki.debian.org/Teams/Dpkg/MergedUsr , "dpkg-divert is
currently broken by" the current implementation of usrmerge. What this
seems to mean, specifically, is that if you divert a binary by the wrong
name - e.g., dpkg-divert /bin/less instead of /usr/bin/less - the
diversion is useless, and the underlying package can overwrite a file that
was supposed to be diverted.
I think config-package-dev ought to address this, somehow. Some options
are listed in my email to our mailing list, where I also demonstrate what
can go wrong:
http://mailman.mit.edu/pipermail/config-package-dev/2021-July/000066.html
Options range from just documenting the issue to actually trying to
address it in some fashion. I don't yet have a change ready for any of
these options; I'm trying to gauge what you think is acceptable vs. too
risky at this point in freeze.
[ Impact ]
A user on a usrmerged system could easily notice a file in (e.g.) /usr/bin
and try to build a config-package of it without realizing the file
actually lives in (e.g.) /bin. Things would even appear to work after
installing the config-package, because the file would get renamed on disk;
they would break after the underlying package (the target of the
diversion) gets upgraded or reinstalled.
[ Tests ]
The examples directory contains a handful of sample source packages using
most of config-package-dev's features. autopkgtests cover building but not
installing those packages, so testing would be manual. Also, the tests
only cover the positive case, using the correct paths, as opposed to the
negative case, but manual testing of that would be easy (see the linked
email above for essentially a currently-failing test case).
[ Risks ]
As noted, this is a leaf package within the Debian archive, so the risk to
Debian itself from getting the change wrong would be low.
The major alternative here would be fixing dpkg to handle diversions (and
perhaps many other things) correctly on a usrmerged system. From the tone
of the discussion, I would guess that this certainly isn't going to happen
before Bullseye release, but if you're aware of work along those lines, I
would be happy to wait for that / contribute to it / test it.
[ Checklist ]
[ ] all changes are documented in the d/changelog
[ ] I reviewed all changes and I approve them
[ ] attach debdiff against the package in testing
[ Other info ]
I'm open to whatever level of change you think is fine. I would prefer
fixing it (somehow) to merely documenting it; if you think I should try to
fix it and come back with a debdiff, I'm happy to do that.
unblock config-package-dev/5.6
Thanks,
--
Geoffrey Thomas
https://ldpreload.com
geofft@ldpreload.com
Reply to: