[config-package-dev] Bug#991156: unblock: config-package-dev/5.6 [pre-approval]

Thu Jul 15 22:47:07 EDT 2021

Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock
X-Debbugs-Cc: config-package-dev at mit.edu

Hi release team,

This is a pre-approval request to get a sense of your willingness to 
unblock config-package-dev to handle usrmerge/dpkg issues.

[ Reason ]

config-package-dev is a Debhelper (and CDBS) add-on for writing packages 
that use dpkg-divert to customize other packages' behavior. (The target 
audience is people customizing Debian for a university/company/etc. or 
preparing derivatives. Notable public users include Debathena and Whonix. 
That is, config-package-dev is a leaf package in the Debian archive, with 
no build-rdeps.)

As noted on https://wiki.debian.org/Teams/Dpkg/MergedUsr , "dpkg-divert is 
currently broken by" the current implementation of usrmerge. What this 
seems to mean, specifically, is that if you divert a binary by the wrong 
name - e.g., dpkg-divert /bin/less instead of /usr/bin/less - the 
diversion is useless, and the underlying package can overwrite a file that 
was supposed to be diverted.

I think config-package-dev ought to address this, somehow. Some options 
are listed in my email to our mailing list, where I also demonstrate what 
can go wrong: 
http://mailman.mit.edu/pipermail/config-package-dev/2021-July/000066.html

Options range from just documenting the issue to actually trying to 
address it in some fashion. I don't yet have a change ready for any of 
these options; I'm trying to gauge what you think is acceptable vs. too 
risky at this point in freeze.

[ Impact ]

A user on a usrmerged system could easily notice a file in (e.g.) /usr/bin 
and try to build a config-package of it without realizing the file 
actually lives in (e.g.) /bin. Things would even appear to work after 
installing the config-package, because the file would get renamed on disk; 
they would break after the underlying package (the target of the 
diversion) gets upgraded or reinstalled.

[ Tests ]

The examples directory contains a handful of sample source packages using 
most of config-package-dev's features. autopkgtests cover building but not 
installing those packages, so testing would be manual. Also, the tests 
only cover the positive case, using the correct paths, as opposed to the 
negative case, but manual testing of that would be easy (see the linked 
email above for essentially a currently-failing test case).

[ Risks ]

As noted, this is a leaf package within the Debian archive, so the risk to 
Debian itself from getting the change wrong would be low.

The major alternative here would be fixing dpkg to handle diversions (and 
perhaps many other things) correctly on a usrmerged system. From the tone 
of the discussion, I would guess that this certainly isn't going to happen 
before Bullseye release, but if you're aware of work along those lines, I 
would be happy to wait for that / contribute to it / test it.

[ Checklist ]
   [ ] all changes are documented in the d/changelog
   [ ] I reviewed all changes and I approve them
   [ ] attach debdiff against the package in testing

[ Other info ]

I'm open to whatever level of change you think is fine. I would prefer 
fixing it (somehow) to merely documenting it; if you think I should try to 
fix it and come back with a debdiff, I'm happy to do that.

unblock config-package-dev/5.6

Thanks,
-- 
Geoffrey Thomas
https://ldpreload.com
geofft at ldpreload.com