[Debian-med-packaging] Bug#902364: ncbi-data, ncbi-rrna-data: Replaces without Breaks allow invalid partial up/downgrades

Andreas Beckmann anbe at debian.org
Mon Jun 25 15:52:31 BST 2018 

Package: ncbi-data,ncbi-rrna-data
Version: 6.1.20170106-2
Severity: serious
User: debian-qa at lists.debian.org
Usertags: piuparts replaces-without-breaks

Hi,

during a test with piuparts and DOSE tools I noticed your package causes
removal of files that also belong to another package.
This is caused by using Replaces without corresponding Breaks.

The installation sequence to reproduce this problem is

VICTIM=ncbi-data, OFFENDER=ncbi-rrna-data

  apt-get install $VICTIM/jessie
  # (1)
  apt-get install $OFFENDER/stretch
  apt-get remove $OFFENDER
  # (2)

The list of installed files at points (1) and (2) should be identical,
but the following files have disappeared:

  /usr/share/ncbi/data/Combined16SrRNA.nhr
  /usr/share/ncbi/data/Combined16SrRNA.nin
  /usr/share/ncbi/data/Combined16SrRNA.nsq
  /usr/share/ncbi/data/rRNAstrand.nal


This is a serious bug violating policy 7.6, see
https://www.debian.org/doc/debian-policy/#overwriting-files-and-replacing-packages-replaces
and also see the footnote that describes this incorrect behavior
https://www.debian.org/doc/debian-policy/ (old: footnotes.html#f53)
[footnote permalink broken (#879048), search for /To see why/]

The $OFFENDER package has the following relationships with $VICTIM:

  Conflicts: n/a
  Breaks:    n/a
  Replaces:  ncbi-data (<< 6.1.20160908)

>From the attached log (scroll to the bottom...):

0m40.2s ERROR: FAIL: After purging files have disappeared:
  /usr/share/ncbi/data/Combined16SrRNA.nhr       owned by: ncbi-rrna-data
  /usr/share/ncbi/data/Combined16SrRNA.nin       owned by: ncbi-rrna-data
  /usr/share/ncbi/data/Combined16SrRNA.nsq       owned by: ncbi-rrna-data
  /usr/share/ncbi/data/rRNAstrand.nal    owned by: ncbi-rrna-data

0m40.2s ERROR: FAIL: After purging files have been modified:
  /var/lib/dpkg/info/ncbi-data.list      not owned

Similar effects can be shown with VICTIM and OFFENDER swapped,
the affected files in this case are

  /usr/share/ncbi/data/Combined16SrRNA_2-12-2008.nhr
  /usr/share/ncbi/data/Combined16SrRNA_2-12-2008.nin
  /usr/share/ncbi/data/Combined16SrRNA_2-12-2008.nsq

Mixing one data file from stretch and one datafile from jessie also means
that one set of the moved files is missing. Which is not a problem
from dpkg point of view, but perhaps from your application logic.


cheers,

Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ncbi-data=6.1.20120620-8_ncbi-rrna-data=6.1.20170106-2.log.gz
Type: application/gzip
Size: 8349 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-med-packaging/attachments/20180625/e259bf3f/attachment.gz>

More information about the Debian-med-packaging mailing list