Bug#699759: marked as done (apt: score computation may prefer obsolete installed packages over their successors)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Wed, 08 May 2013 17:03:09 +0000
with message-id <E1Ua7ll-0005UW-6S@franck.debian.org>
and subject line Bug#699759: fixed in apt 0.9.8
has caused the Debian Bug report #699759,
regarding apt: score computation may prefer obsolete installed packages over their successors
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
699759: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699759
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: apt: score computation may prefer obsolete installed packages over their successors
• From: Andreas Beckmann <anbe@debian.org>
• Date: Mon, 04 Feb 2013 18:58:40 +0100
• Message-id: <20130204175840.19922.20621.reportbug@cake.ae.cs.uni-frankfurt.de>

Package: apt
Version: 0.9.7.7
Severity: serious

Hi,

there is a problem in apt's score computation (algorithms.cc,
MakeScores()) w.r.t. to the negative scores for "optional" and "extra"
packages. Adding abs(negative score) to some package may give in
incorrect boost to that package.

Setting severity to serious as this should be fixed (and this seems possible
in a rather non-intrusive way) for wheezy, so that the fix will be
available for the wheezy->jessie upgrades in the future.

Note that I rebuilt (and slightly patched (to output non-boring packages
with score 0)) apt/sid for squeeze to have the "new" apt perform the
distupgrade from squeeze to wheezy - to see whether this works better
than squeeze's old apt - and to find problems still existing.

I consider any "kept back" during a distupgrade from any valid subset of
squeeze packages to wheezy as a "problem". Or an attempt to remove the
package to be tested if that still exists and is installable in wheezy.

I have a local piuparts instance running for this setup, so I could
easily check the effect of a fix on a large portion of the archive by
testing it on squeeze->wheezy upgrades.

One of the first problems I noticed was apt preferring to keep back
libhangul-dev instead of kicking out libhangul0, libhangul0-data and
installing libhangul1, libhangul-data.

Setup is a minimal squeeze system with no recommends and libhangul-dev
installed, there 'apt-get dist-upgrade' to wheezy is being run.

>From the attached log:

  2 liblzma2 [ amd64 ] < 5.0.0-2 > ( libs )
  1 uuid-runtime [ amd64 ] < none -> 2.20.1-5.3 > ( libs )
  1 libldap-2.4-2 [ amd64 ] < none -> 2.4.31-1 > ( libs )
  1 bsdmainutils [ amd64 ] < none -> 9.0.3 > ( utils )
  1 psmisc [ amd64 ] < none -> 22.19-1+deb7u1 > ( admin )
  1 apt-utils [ amd64 ] < none -> 0.9.7.7 > ( admin )
  1 awk [ amd64 ] < none > ( none )
* 1 libhangul0-data [ amd64 ] < 0.0.11-2 > ( libs )
  1 libgpm2 [ amd64 ] < none -> 1.20.4-6 > ( libs )
  1 libpng12-0 [ amd64 ] < none -> 1.2.49-1 > ( libs )
  1 bash-completion [ amd64 ] < none -> 1:2.0-1 > ( shells )
  1 libdb4.8 [ amd64 ] < 4.8.30-2 > ( libs )
  1 gnupg-curl [ amd64 ] < none -> 1.4.12-7 > ( utils )
* 0 libhangul-data [ amd64 ] < none -> 0.1.0-2 > ( libs )
  0 gcc-4.4-base [ amd64 ] < 4.4.5-8 -> 4.4.7-2 > ( libs )
  0 libsemanage-common [ amd64 ] < none -> 2.1.6-6 > ( libs )
* 0 libhangul-dev [ amd64 ] < 0.0.11-2 -> 0.1.0-2 > ( libdevel )
  0 libustr-1.0-1 [ amd64 ] < none -> 1.0.4-3 > ( libs )
* 0 libhangul1 [ amd64 ] < none -> 0.1.0-2 > ( libs )
* -1 libhangul0 [ amd64 ] < 0.0.11-2 > ( libs )
  Starting 2
  Investigating (0) libhangul-data [ amd64 ] < none -> 0.1.0-2 > ( libs )
  Broken libhangul-data:amd64 Conflicts on libhangul0-data [ amd64 ] < 0.0.11-2 > ( libs )
    Considering libhangul0-data:amd64 1 as a solution to libhangul-data:amd64 0
    Holding Back libhangul-data:amd64 rather than change libhangul0-data:amd64
  Investigating (0) libhangul1 [ amd64 ] < none -> 0.1.0-2 > ( libs )
  Broken libhangul1:amd64 Depends on libhangul-data [ amd64 ] < none -> 0.1.0-2 > ( libs ) (>= 0.1.0-2)
    Considering libhangul-data:amd64 0 as a solution to libhangul1:amd64 0
    Holding Back libhangul1:amd64 rather than change libhangul-data:amd64
  Investigating (1) libhangul-dev [ amd64 ] < 0.0.11-2 -> 0.1.0-2 > ( libdevel )
  Broken libhangul-dev:amd64 Depends on libhangul1 [ amd64 ] < none -> 0.1.0-2 > ( libs ) (= 0.1.0-2)
    Considering libhangul1:amd64 0 as a solution to libhangul-dev:amd64 0
    Holding Back libhangul-dev:amd64 rather than change libhangul1:amd64
   Try to Re-Instate (2) libhangul-dev:amd64
  Done
  The following NEW packages will be installed:
    gcc-4.7-base libdb5.1 liblzma5 libmount1 libpam-modules-bin
    libsemanage-common libsemanage1 libtinfo5 libustr-1.0-1 multiarch-support
  The following packages have been kept back:
    libhangul-dev
  The following packages will be upgraded:

The dependency chains are:

squeeze: libhangul-dev -> libhangul0 -> libhangul0-data
wheezy:  libhangul-dev -> libhangul1 -> libhangul-data

Let me try to compute the scores manually after reading algorithms.cc
MakeScores():

First round (initialization):

libhangul-dev => 0
  -1 optional
   1 installed and not obsolete

libhangul0 => -1
  -1 optional
   0 installed but obsolete

libhangul0-data => 0
  -1 optional
   0 installed but obsolete
   1 rdepends (libhangul0)

libhangul1 => 0
  -1 optional
   0 not installed
   1 rdepends (libhangul-dev)

libhangul-data => 0
  -1 optional
   0 not installed
   1 rdepends (libhangul1)

Second round (one level propagation):

libhangul-dev => 0
   0 round 1
   0 no rdepends

libhangul0 => -1
  -1 round 1
   0 no rdepends

libhangul0-data => 1
   0 round 1
   1 libhangul0: abs(-1)

libhangul1 => 0
   0 round 1
   0 libhangul-dev

libhangul-data => 0
   0 round 1
   0 libhangul1

Oops, now libhangul0-data (1) is more valuable than libhangul-data (0)

The flaw is here:

    Scores[I->ID] += abs(OldScores[D.ParentPkg()->ID]);

as "optional" leaf packages will have a score of -1 - and even worse,
"extra" leaf packages will have a score of -2. Running abs() on this
gives a boost to the wrong packages.

Suggestions for alternative propagation functions:

  // current and wrong
  Score += abs(RDepScore)

  // ignore negatives, they already contributed
  // PrioDepends/PrioRecommends to our score
  Score += max(0, RDepScore)

  // ignore negatives, but give another point for the rdep
  Score += max(1, RDepScore)

  // give a point for all rdeps, not only the low scoring ones
  Score += 1 + max(0, RDepScore)

  maybe replace 1 with PrioDepends/PrioRecommends as fitting

Another possibility would be to add 3 to all scores to move them out of
the negative area. (That would also distinguish scores initilized to 0
(i.e. boring packages) and scored that added up to 0 (i.e. interesting
packages) because that can no longer happen).

As I said above, I'd like to test your preferred choice :-)


Andreas

PS: The next interesting point to analyze are the problems with the
libjpeg-dev transition (a virtual package that moved from libjpeg62-dev
to libjpeg8-dev) that is currently solved miserably by apt/squeeze -
usually preferring to keep libjpeg62-dev/squeeze instead of installing
libjpeg8-dev/wheezy. So far I only have 12000 of of 28000 packages
tested and the libjpeg-dev dependencies seem to come later ... and that
problem could be related to the current one.

Attachment: hangul.log.gz
Description: GNU Zip compressed data

--- End Message ---

--- Begin Message ---

• To: 699759-close@bugs.debian.org
• Subject: Bug#699759: fixed in apt 0.9.8
• From: Michael Vogt <mvo@debian.org>
• Date: Wed, 08 May 2013 17:03:09 +0000
• Message-id: <E1Ua7ll-0005UW-6S@franck.debian.org>

Source: apt
Source-Version: 0.9.8

We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 699759@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Vogt <mvo@debian.org> (supplier of updated apt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 08 May 2013 18:43:28 +0200
Source: apt
Binary: apt libapt-pkg4.12 libapt-inst1.5 apt-doc libapt-pkg-dev libapt-pkg-doc apt-utils apt-transport-https
Architecture: source all amd64
Version: 0.9.8
Distribution: unstable
Urgency: low
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Michael Vogt <mvo@debian.org>
Description: 
 apt        - commandline package manager
 apt-doc    - documentation for APT
 apt-transport-https - https download transport for APT
 apt-utils  - package managment related utility programs
 libapt-inst1.5 - deb package format runtime library
 libapt-pkg-dev - development files for APT's libapt-pkg and libapt-inst
 libapt-pkg-doc - documentation for APT development
 libapt-pkg4.12 - package managment runtime library
Closes: 154868 322074 620344 651640 699759 704653 704723 705087 705648
Changes: 
 apt (0.9.8) unstable; urgency=low
 .
   [ Ludovico Cavedon ]
   * properly handle if-modfied-since with libcurl/https
     (closes: #705648)
 .
   [ Andreas Beckman ]
   * apt-pkg/algorithms.cc:
     - Do not propagate negative scores from rdepends. Propagating the absolute
       value of a negative score may boost obsolete packages and keep them
       installed instead of installing their successors.  (Closes: #699759)
 .
   [ Michael Vogt ]
   * apt-pkg/sourcelist.cc:
     - fix segfault when a hostname contains a [, thanks to
       Tzafrir Cohen (closes: #704653)
   * debian/control:
     - replace manpages-it (closes: #704723)
 .
   [ David Kalnischkies ]
   * various simple changes to fix cppcheck warnings
   * apt-pkg/pkgcachegen.cc:
     - do not store the MD5Sum for every description language variant as
       it will be the same for all so it can be shared to save cache space
     - handle language tags for descriptions are unique strings to be shared
     - factor version string creation out of NewDepends, so we can easily reuse
       version strings e.g. for implicit multi-arch dependencies
     - equal comparisions are used mostly in same-source relations,
       so use this to try to reuse some version strings
     - sort group and package names in the hashtable on insert
     - share version strings between same versions (of different architectures)
       to save some space and allow quick comparisions later on
   * apt-pkg/pkgcache.cc:
     - assume sorted hashtable entries for groups/packages
   * apt-pkg/cacheiterators.h:
     - provide DepIterator::IsSatisfied as a nicer shorthand for DepCheck
   * apt-pkg/deb/debversion.cc:
     - add a string-equal shortcut for equal version comparisions
 .
   [ Marc Deslauriers ]
   * make apt-ftparchive generate missing deb-src hashes (LP: #1078697)
 .
   [ Yaroslav Halchenko ]
   * Fix English spelling error in a message ('A error'). Unfuzzy
     translations. Closes: #705087
 .
   [ Programs translations ]
   * French translation completed (Christian Perrier)
 .
   [ Manpages translations ]
   * French translation completed (Christian Perrier)
 .
   [ Daniel Hartwig ]
   * apt-pkg/contrib/strutl.cc:
     - include port in shortened URIs (e.g. with apt-cache policy, progress
       display) thanks to James McCoy (Closes: #154868, #322074)
     - percent-encode username and password when writing URIs
   * methods/http.cc:
     - properly escape IP-literals (e.g. IPv6 address) when building
       Host headers and URIs (Closes: #620344)
   * methods/https.cc:
     - use https_proxy environment variable if present, falling back to
       http_proxy otherwise
     - use authentication credentials from proxy URI
       (Closes: #651640, LP: #1087512)
     - environment variables do not override an explicit no proxy
       directive ("DIRECT") in apt.conf
     - disregard all_proxy environment variable, like other methods
Checksums-Sha1: 
 116360c77f1f8c54891b327d39acf363a41261bc 1682 apt_0.9.8.dsc
 5b76a6358b11ab485dbef2bc16ba5328cdea7948 3500796 apt_0.9.8.tar.gz
 89461f552f12ee6f0274855736a8a588bc47948a 290444 apt-doc_0.9.8_all.deb
 3cb37e9e8382c3abb1525b9e3e891f15475b17c6 964930 libapt-pkg-doc_0.9.8_all.deb
 4883ad8769334cec21be7b811ee4825860cd7ed7 896220 libapt-pkg4.12_0.9.8_amd64.deb
 7f5f6ab632bb27d7ca22051c95588136c49ff9bd 168314 libapt-inst1.5_0.9.8_amd64.deb
 43bc95f409d0e949506b759b78c638b746ad7d5e 1313098 apt_0.9.8_amd64.deb
 0796669c1b3a13e0d78397e2351b35e2bcd6f146 189842 libapt-pkg-dev_0.9.8_amd64.deb
 9d7dabe9ea311a2b7ae69d0cb63c5860e33755e8 389146 apt-utils_0.9.8_amd64.deb
 f1a5ca9a3a3e69786789da741549a24408a885a1 110600 apt-transport-https_0.9.8_amd64.deb
Checksums-Sha256: 
 e27e8507f97cc1a3e8f2cfd9a3a488fec1af4559a87c19b27eb950275c4db475 1682 apt_0.9.8.dsc
 91937aff743892892949e54d0329496ddbfb6181d126406a05f6762cdbbab594 3500796 apt_0.9.8.tar.gz
 1b266da0a5ddcd9015e4475507399371fee4b4b282a18f2c6ba004d4a5ce0af3 290444 apt-doc_0.9.8_all.deb
 0864bba06d93ae00b65f469ed8a25b5d0562a50477515a1af0d640e7e562d521 964930 libapt-pkg-doc_0.9.8_all.deb
 adedd7b43c0eb542b7137071ecaf8a27c363618d483a6a9364ba73c5fa05baca 896220 libapt-pkg4.12_0.9.8_amd64.deb
 899892c2bf8daac6da30da3be265c15a5e3959d94ec3be3a8352f047238d8562 168314 libapt-inst1.5_0.9.8_amd64.deb
 dbccf49f58e0d9de654566dd913a25db2bc5989cb356ed98be6450f7c0b9fcec 1313098 apt_0.9.8_amd64.deb
 a8e67828dd4426ea11943970e63908e5c435a9aac126ef8f4c076364e9933b44 189842 libapt-pkg-dev_0.9.8_amd64.deb
 fe2c2b0eb57e8cf0721f5c1075e01a81833a668331206628787ca12439b334af 389146 apt-utils_0.9.8_amd64.deb
 9dc84186723b66b7b335b3e149fefe61b1c5b7c8e759633c09a262b784965fd3 110600 apt-transport-https_0.9.8_amd64.deb
Files: 
 ca35aee225910dec2e3cb19df376cd71 1682 admin important apt_0.9.8.dsc
 90aa29992d8b8a43885c6a28ccf507d4 3500796 admin important apt_0.9.8.tar.gz
 bc44fced1b97e5ef24d807fcf777646a 290444 doc optional apt-doc_0.9.8_all.deb
 71b09b35661f93f5c8e9f87e71fb10fd 964930 doc optional libapt-pkg-doc_0.9.8_all.deb
 6a813bfe8a601fa320b936b0ee716efc 896220 libs important libapt-pkg4.12_0.9.8_amd64.deb
 e79d8e6799a69d8a9939629780109c3c 168314 libs important libapt-inst1.5_0.9.8_amd64.deb
 b627de5b3fe06182475120d008ad3773 1313098 admin important apt_0.9.8_amd64.deb
 829606dd9ec7e0cdad7080232eabfc9d 189842 libdevel optional libapt-pkg-dev_0.9.8_amd64.deb
 623d0730b1d36443a3341e79371ab67b 389146 admin important apt-utils_0.9.8_amd64.deb
 09d97f139dba326bc8ba0412b3a0648b 110600 admin optional apt-transport-https_0.9.8_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGKgy4ACgkQliSD4VZixzSsWwCeILYp85ky0KJWPqr+W67M7uXq
Hw0An2jzGjzbOQtOkiQA7+OGa5wQoIWC
=tem2
-----END PGP SIGNATURE-----

--- End Message ---