Bug#924662: apt: vendor/getinfo can misdetect parent of Ubuntu derivatives, causing unsatisfiable dependency
Package: apt
Version: 1.6~rc1
Severity: normal
Tags: patch
Steps to reproduce:
* Configure base-files for an Ubuntu derivative
* Don't add your Ubuntu derivative to apt's vendor/ (in my case this was
done to minimize the number of packages with delta, so that we can pull
in apt security updates more easily)
* Build apt on a filesystem with non-deterministic readdir() order
Expected result:
* The first loop in getcurrent(), looking for an exact match, doesn't find
our derivative
* The second loop in getcurrent(), looking for an ancestor that's neither
Debian nor Ubuntu, doesn't find an ancestor for our derivative
* The fallback test for Ubuntu returns "ubuntu"
* My apt depends on ubuntu-archive-keyring
Actual result:
* The first loop behaves as expected
* The second loop behaves as expected
* In my case, the fallback test for Ubuntu returns "tanglu"
* My apt depends on tanglu-archive-keyring, which isn't in my derivative
This can fail for two reasons:
* find(1) doesn't guarantee to list distros in alphabetical order;
* in future there might be a distro that sorts later than ubuntu,
although right now there is no such distro
I actually found this bug in Ubuntu 18.04's apt 1.6.8, but this script
seems to be identical in 1.8.0, so I'm reporting it as present in their
newest common ancestor.
Proposed patches: https://salsa.debian.org/apt-team/apt/merge_requests/55
or attached.
Regards,
smcv
Reply to: