[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#229775: apt 2.7.7: build-dep doesn't work if priority is 499

I still think this is a bug. I will try to explain this more clearly.
I will show you exact sentence from "man apt_preferences",
which proves this, later in this mail.

Also, later in this mail I will show you a reproducer, which is
not linked to stretch and other old releases in any way.

On Mon, Jan 1, 2024 at 3:45 PM David Kalnischkies <david@kalnischkies.de> wrote:
> That is good, because it is documented to behave this way…

Oops, I think there is a misunderstanding here. When I said
"installed release", I didn't mean "installed version of particular
package in question, i. e. libuv1-dev". I meant "version of
the system", i. e. value of CODENAME field in /etc/os-release .

"man apt_preferences" says in the very beginning: "Subject
to dependency constraints, apt-get selects the version with
the highest priority for installation". Note "subject to
dependency constraints" here. This means that if version
with high priority is logically forbidden (i. e. it is not compatible
with dependency constraints), then apt chooses a
version with lower priority. And this is exactly what should
happen in my case. And it doesn't happen. And this is a bug.

So, again, let me describe the bug. My current OS is stretch.
Priority of main stretch repo is presumably set to 500, as well
as I understand. I add stretch-backports with priority 499. I
type "apt-get build-dep cmake", and this command fails. cmake
build-depends on libuv1-dev with constraint ">= 1.10". There
are two versions of libuv1-dev available:

- libuv1-dev 1.9.1-3 from stretch. Priority is 500
- libuv1-dev 1.34.2-1~bpo9+1 from stretch-backports. Priority is 499

(And currently libuv1-dev is not present on the system at all.)

It follows from my interpretation of the phrase "Subject to
dependency constraints" from "man apt_preferences", that
first apt should exclude logically inconsistent solutions. So it
should first exclude "libuv1-dev 1.9.1-3", because it is
inconsistent with the constraint ">= 1.10". Then apt should
choose version with highest priority from versions, which
are left. I. e. apt should choose "1.34.2-1~bpo9+1". But in
practice I see this error message:

===
# apt-get build-dep cmake
Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 builddeps:cmake : Depends: libuv1-dev (>= 1.10) but 1.9.1-3 is to be installed
E: Unable to correct problems, you have held broken packages.
===

So, apt for whatever reasons prefers logically inconsistent
solution over consistent. Chooses wrong solution with high
priority over correct solution with low priority. Chooses
libuv1-dev 1.9.1-3 and then (of course) fails to install it,
because the constraints are violated.

Okay, so I hope now I convinced you that this is a bug.

Here is an absolutely standalone reproducer for this bug.
Run it on a throw-away sid system. (The letter continues
after the reproducer.)
=*=*=*=*=*=*=*=
#!/bin/bash

set -e
set -o pipefail

apt-get update
apt-get install -y --no-install-recommends dpkg-dev

rm -rf /etc/apt/sources.list.d /etc/apt/preferences.d /etc/apt/apt.conf.d

ARCH="$(dpkg --print-architecture)"

mkdir -p /sources/dependency-1/DEBIAN
mkdir -p /sources/dependency-2/DEBIAN
mkdir -p /sources/dependent/DEBIAN

cat << EOF > /sources/dependency-1/DEBIAN/control
Package: dependency
Version: 1
Description: AAA
Maintainer: AAA
Architecture: $ARCH
EOF

cat << EOF > /sources/dependency-2/DEBIAN/control
Package: dependency
Version: 2
Description: AAA
Maintainer: AAA
Architecture: $ARCH
EOF

cat << EOF > /sources/dependent/DEBIAN/control
Package: dependent
Version: 1
Depends: dependency (>= 2)
Description: AAA
Maintainer: AAA
Architecture: $ARCH
EOF

mkdir -p "/repo/dists/stable/main/binary-$ARCH"
mkdir -p "/repo/dists/backports/main/binary-$ARCH"

dpkg-deb --build /sources/dependency-1 "/repo/dists/stable/main/binary-$ARCH"
dpkg-deb --build /sources/dependency-2 "/repo/dists/backports/main/binary-$ARCH"
dpkg-deb --build /sources/dependent "/root"

(
  cd /repo
  dpkg-scanpackages "dists/stable/main/binary-$ARCH" >
"dists/stable/main/binary-$ARCH/Packages"
  dpkg-scanpackages "dists/backports/main/binary-$ARCH" >
"dists/backports/main/binary-$ARCH/Packages"
)

cat << EOF > /repo/dists/stable/Release
Codename: stable
Architectures: $ARCH
Components: main
Date: Thu, 1 Jan 1970 00:00:00 UTC
EOF

cat << EOF > /repo/dists/backports/Release
Codename: backports
Architectures: $ARCH
Components: main
Date: Thu, 1 Jan 1970 00:00:00 UTC
EOF

cat << EOF > /etc/apt/sources.list
deb file:///repo stable main
deb file:///repo backports main
EOF

cat << EOF > /etc/apt/preferences
Package: *
Pin: release n=backports
Pin-Priority: 499

Package: *
Pin: release n=stable
Pin-Priority: 500
EOF

mkdir -p /etc/apt/preferences.d
mkdir -p /etc/apt/apt.conf.d

cat << EOF > /etc/apt/apt.conf
Acquire::AllowInsecureRepositories yes;
EOF

apt-get update --quiet --quiet
apt-get install "/root/dependent_1_${ARCH}.deb"
=*=*=*=*=*=*=*=
Here is output:
===
Get:1 http://deb.debian.org/debian sid InRelease [198 kB]
Get:2 http://deb.debian.org/debian sid/main amd64 Packages [9626 kB]
Fetched 9824 kB in 6s (1522 kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
[..snip..]
Setting up dpkg-dev (1.22.2) ...
Processing triggers for libc-bin (2.37-12) ...
dpkg-deb: building package 'dependency' in
'/repo/dists/stable/main/binary-amd64/dependency_1_amd64.deb'.
dpkg-deb: building package 'dependency' in
'/repo/dists/backports/main/binary-amd64/dependency_2_amd64.deb'.
dpkg-deb: building package 'dependent' in '/root/dependent_1_amd64.deb'.
dpkg-scanpackages: info: Wrote 1 entries to output Packages file.
dpkg-scanpackages: info: Wrote 1 entries to output Packages file.
W: The repository 'file:/repo stable Release' is not signed.
W: No Hash entry in Release file
/var/lib/apt/lists/partial/_repo_dists_stable_Release
W: The repository 'file:/repo backports Release' is not signed.
W: No Hash entry in Release file
/var/lib/apt/lists/partial/_repo_dists_backports_Release
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Note, selecting 'dependent' instead of '/root/dependent_1_amd64.deb'
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 dependent : Depends: dependency (>= 2) but 1 is to be installed
E: Unable to correct problems, you have held broken packages.
===
So, I reproduced the very same bug, but this time with fully
artifactual packages. Note that "build-dep" is not involved. Bug is
reproducible with the usual "apt-get install".

> Support for stretch ended nearly a decade ago
You mixed up stretch and squeeze. According to Wikipedia,
support for stretch ended in 2020.

-- 
Askar Safin
Reply to: