Re: Bug#974552: upgrade-reports: libc6/libcrypt split breaks perl during buster->bullseye upgrade

[Ivo De Decker <ivodd@debian.org>]

Hi,

On Fri, Mar 19, 2021 at 04:52:57PM +0100, Ivo De Decker wrote:
> > > I wonder if all this might be caused by the breaks from libcrypt1 (against
> > > libc6 (<< 2.29-4)). Is there a way to remove the breaks without causing
> > > issues?  Maybe this is somewhat similar to the situation in
> 
> I tried this with a modified libcrypt1 binary (removing the breaks), and it
> fails (/lib/x86_64-linux-gnu/libcrypt.so.1 is missing after the libc6 unpack).
> I guess that's because of #953562: libc6 shipped
> /lib/x86_64-linux-gnu/libcrypt.so.1 while libcrypt1 ships
> /usr/lib/x86_64-linux-gnu/libcrypt.so.1 Obviously, for dpkg these are 2
> different files, but on a system with merged /usr they are not.

I created a patch to move libcrypt back to /lib, and that seems to solve the
issue. The patch is attached. With this patch, libcrypt1 is installed before
libc6 is upgraded, and the takeover of the library works correctly.

This also fixes #953562, which reported that this move is necessary.

Note that the original move from /lib to /usr/lib was more complicated than my
patch:
https://salsa.debian.org/md/libxcrypt/-/commit/1fb86fde5410088580f8032834037facb26d2d49
I didn't look into the details of the -dev package, because they are not
relevant to this bug. The patch might need to be adapted.


I ran a number of (partial and full) upgrade tests, and they all seem to work
fine. In all cases, libcrypt1 is installed before libc6, and there is no
intermediate situations where libcrypt.so.1 is missing.

> > The problem of removing the break, is that we loose the possibility of
> > downgrades. Is it something acceptable?
> 
> Well, I guess if that is the cost of not breaking people's systems on upgrade,
> that sounds like an acceptable trade-off. But I might be overlooking certain
> scenarios.
> 
> 
> > > https://bugs.debian.org/972936#24: libgcc-s1 takes over binaries from libgcc1,
> > > but only 'replaces' it, without breaks (note that extra steps had to be taken
> > > to avoid further issues (adding Important: yes and Protected: yes)).
> > 
> > Are this extra-steps basically required to prevent downgrades?
> 
> They are required to prevent you from removing libcrypt1 again: on a buster
> system, install such a hypothetical libcrypt1 from bullseye (which takes over
> libcrypt.so.1). Then remove that again. Now libcrypt.so.1 is missing. If the
> breaks is present, libcrypt1 can only be installed together with the new
> libc6, which prevents you from removing libcrypt1 afterwards.

As in #972936, my patch adds Important and Protected, which prevents removal of
libcrypt1 once it's installed.

Cheers,

Ivo

diff --git a/debian/changelog b/debian/changelog
index b5088dc..16d25ff 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+libxcrypt (2:4.4.17-1.1) UNRELEASED; urgency=medium
+
+  * Make sure takeover of libcrypt.so.1 from libc6 works correctly on upgrades
+    from buster to bullseye (Closes: #974552):
+    - Move the library back from /usr/lib/ to /lib/, because that's where it
+      was in the old libc6 (Closes: #953562)
+    - Remove breaks from libcrypt1, to allow installing libcrypt1 before libc6
+      is upgraded
+    - Mark libcrypt1 as Important and Protected, to prevent removal after a
+      partial upgrade
+
+ -- Ivo De Decker <ivodd@debian.org>  Tue, 06 Apr 2021 19:46:44 +0000
+
 libxcrypt (1:4.4.17-1) unstable; urgency=medium
 
   * New upstream release.
diff --git a/debian/control b/debian/control
index 35939dd..a2ae60a 100644
--- a/debian/control
+++ b/debian/control
@@ -16,11 +16,8 @@ Architecture: any
 Multi-Arch: same
 Pre-Depends: ${misc:Pre-Depends}
 Depends: ${shlibs:Depends}, ${misc:Depends}
-Breaks:
- libc6 (<< 2.29-4),
- libc6.1 (<< 2.29-4) [alpha ia64],
- libc0.1 (<< 2.29-4) [kfreebsd-amd64 kfreebsd-i386],
- libc0.3 (<< 2.29-4) [hurd-i386],
+XB-Important: yes
+Protected: yes
 Replaces:
  libc6 (<< 2.29-4),
  libc6.1 (<< 2.29-4) [alpha ia64],
diff --git a/debian/libcrypt-dev.files b/debian/libcrypt-dev.files
index 94387de..fc172a1 100644
--- a/debian/libcrypt-dev.files
+++ b/debian/libcrypt-dev.files
@@ -1,5 +1,5 @@
 /usr/include/
 /usr/share/man/
-/usr/lib/*/pkgconfig/
-/usr/lib/*/*.a
-/usr/lib/*/*.so
+/lib/*/pkgconfig/
+/lib/*/*.a
+/lib/*/*.so
diff --git a/debian/rules b/debian/rules
index 2969306..26f2bcd 100755
--- a/debian/rules
+++ b/debian/rules
@@ -34,11 +34,11 @@ CONFFLAGS = --disable-werror --prefix=/usr \
 CONFFLAGS_deb  = $(CONFFLAGS) \
   $(shell DEB_BUILD_MAINT_OPTIONS="hardening=+bindnow" \
     dpkg-buildflags --export=configure || true) \
-  --libdir=/usr/lib/$(DEB_HOST_MULTIARCH)
+  --libdir=/lib/$(DEB_HOST_MULTIARCH)
 CONFFLAGS_udeb = $(CONFFLAGS) \
   $(subst -O2,-Os -fomit-frame-pointer,$(shell DEB_BUILD_MAINT_OPTIONS="hardening=-all" \
     dpkg-buildflags --export=configure || true)) \
-  --libdir=/usr/lib
+  --libdir=/lib
 
 ##############################################################################
 DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
@@ -101,7 +101,7 @@ ifeq ($(BUILD_DEV_VER), 1)
 else
 	cd $D && echo $(shell sed -re 's#^/##' $(CURDIR)/debian/libcrypt-dev.files) | xargs echo rm -rf
 endif
-	rm $D/usr/lib/*/*.la
+	rm $D/lib/*/*.la
 	rmdir --parents --ignore-fail-on-non-empty \
 		$$(find $D -type d -empty) $$(find $(DD) -type d -empty)
 endif
@@ -115,7 +115,7 @@ ifeq ($(BUILD_DEV_VER), 2)
 else
 	cd $(D2) && echo $(shell sed -re 's#^/##' $(CURDIR)/debian/libcrypt-dev.files) | xargs echo rm -rf
 endif
-	rm $(D2)/usr/lib/*/*.la
+	rm $(D2)/lib/*/*.la
 	rmdir --parents --ignore-fail-on-non-empty \
 		$$(find $(D2) -type d -empty) $$(find $(DD) -type d -empty)
 endif
@@ -123,7 +123,7 @@ endif
 ifdef BUILD_UDEB
 	cd build-udeb/ && \
 	$(MAKE) install-exec DESTDIR=$(DU)
-	rm $(DU)/usr/lib/*.a $(DU)/usr/lib/*.la $(DU)/usr/lib/*.so
+	rm $(DU)/lib/*.a $(DU)/lib/*.la $(DU)/lib/*.so
 endif
 
 	mkdir -p $(DS)/usr/src/libxcrypt/