[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#991156: marked as done (unblock: config-package-dev/5.6 [pre-approval])

Your message dated Sun, 18 Jul 2021 21:13:10 +0200
with message-id <97d7046a-e338-e1db-0e82-f2a98def855a@debian.org>
and subject line Re: Bug#991156: unblock: config-package-dev/5.6 [pre-approval]
has caused the Debian Bug report #991156,
regarding unblock: config-package-dev/5.6 [pre-approval]
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
991156: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991156
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: config-package-dev@mit.edu

Hi release team,
This is a pre-approval request to get a sense of your willingness to unblock config-package-dev to handle usrmerge/dpkg issues. 

[ Reason ]
config-package-dev is a Debhelper (and CDBS) add-on for writing packages that use dpkg-divert to customize other packages' behavior. (The target audience is people customizing Debian for a university/company/etc. or preparing derivatives. Notable public users include Debathena and Whonix. That is, config-package-dev is a leaf package in the Debian archive, with no build-rdeps.)
As noted on https://wiki.debian.org/Teams/Dpkg/MergedUsr , "dpkg-divert is currently broken by" the current implementation of usrmerge. What this seems to mean, specifically, is that if you divert a binary by the wrong name - e.g., dpkg-divert /bin/less instead of /usr/bin/less - the diversion is useless, and the underlying package can overwrite a file that was supposed to be diverted.
I think config-package-dev ought to address this, somehow. Some options are listed in my email to our mailing list, where I also demonstrate what can go wrong: http://mailman.mit.edu/pipermail/config-package-dev/2021-July/000066.html
Options range from just documenting the issue to actually trying to address it in some fashion. I don't yet have a change ready for any of these options; I'm trying to gauge what you think is acceptable vs. too risky at this point in freeze. 

[ Impact ]
A user on a usrmerged system could easily notice a file in (e.g.) /usr/bin and try to build a config-package of it without realizing the file actually lives in (e.g.) /bin. Things would even appear to work after installing the config-package, because the file would get renamed on disk; they would break after the underlying package (the target of the diversion) gets upgraded or reinstalled. 

[ Tests ]
The examples directory contains a handful of sample source packages using most of config-package-dev's features. autopkgtests cover building but not installing those packages, so testing would be manual. Also, the tests only cover the positive case, using the correct paths, as opposed to the negative case, but manual testing of that would be easy (see the linked email above for essentially a currently-failing test case). 

[ Risks ]
As noted, this is a leaf package within the Debian archive, so the risk to Debian itself from getting the change wrong would be low.
The major alternative here would be fixing dpkg to handle diversions (and perhaps many other things) correctly on a usrmerged system. From the tone of the discussion, I would guess that this certainly isn't going to happen before Bullseye release, but if you're aware of work along those lines, I would be happy to wait for that / contribute to it / test it. 

[ Checklist ]
  [ ] all changes are documented in the d/changelog
  [ ] I reviewed all changes and I approve them
  [ ] attach debdiff against the package in testing

[ Other info ]
I'm open to whatever level of change you think is fine. I would prefer fixing it (somehow) to merely documenting it; if you think I should try to fix it and come back with a debdiff, I'm happy to do that. 

unblock config-package-dev/5.6

Thanks,
--
Geoffrey Thomas
https://ldpreload.com
geofft@ldpreload.com

--- End Message ---
--- Begin Message --- 
Hi Geoffrey,

On 16-07-2021 04:47, Geoffrey Thomas wrote:
> As noted on https://wiki.debian.org/Teams/Dpkg/MergedUsr , "dpkg-divert
> is currently broken by" the current implementation of usrmerge. What
> this seems to mean, specifically, is that if you divert a binary by the
> wrong name - e.g., dpkg-divert /bin/less instead of /usr/bin/less - the
> diversion is useless, and the underlying package can overwrite a file
> that was supposed to be diverted.

I'm pretty sure that this applies to fresh installs of buster too....

> I think config-package-dev ought to address this, somehow. Some options
> are listed in my email to our mailing list, where I also demonstrate
> what can go wrong:
> http://mailman.mit.edu/pipermail/config-package-dev/2021-July/000066.html

so, why the rush?

> Options range from just documenting the issue to actually trying to
> address it in some fashion. I don't yet have a change ready for any of
> these options; I'm trying to gauge what you think is acceptable vs. too
> risky at this point in freeze.

Unless I'm mistaken about buster, I really think this particular issues
doesn't warrant a rushed fix *now*. I suggest you take the time to make
up your mind and if you still think this needs fixing, you probably want
to fix it via stable upload and also fix it in buster.

Paul

Attachment: OpenPGP_signature
Description: OpenPGP digital signature


--- End Message ---
Reply to: