[Cupt-devel] Bug#764238: libcupt3-0: Version selectors are exposed to external tools, breaking pinning

Mon Oct 6 15:08:58 UTC 2014

Package: libcupt3-0
Version: 2.8.3
Severity: important

Doing an update today, apt-listbugs showed a bugs that seemed worth
pinning the packages over, so I did that.  This resulted in
/etc/apt/preferences.d/apt-listbug containing pins like

  Pin: version 1.17.13^installed

Any tool other than cupt doesn't understand that version, which means
that e.g. a pinned package related to a security upgrade may get
upgraded when it shouldn't (unattended-upgrades).

$ cupt policy dpkg-dev
dpkg-dev:
  Installed: 1.17.13^installed
  Preferred: 1.17.13^installed
  Version table:
 *** 1.17.13^installed 1000
        /var/lib/dpkg/status installed/ (unsigned)
     1.17.15 501
        http://http.debian.net/debian unstable/main (signed)
$ apt-cache policy dpkg-dev
dpkg-dev:
  Installed: 1.17.13
  Candidate: 1.17.15
  Package pin: (not found)
  Version table:
     1.17.15 1000
        500 http://http.debian.net/debian/ sid/main i386 Packages
 *** 1.17.13 1000
        100 /var/lib/dpkg/status

Removing the version selector from the pin causes apt to understand the
pin again, but now cupt doesn't:

$ cupt policy dpkg-dev
dpkg-dev:
  Installed: 1.17.13^installed
  Preferred: 1.17.15
  Version table:
     1.17.15 501
        http://http.debian.net/debian unstable/main (signed)
 *** 1.17.13^installed 100
        /var/lib/dpkg/status installed/ (unsigned)
$ apt-cache policy dpkg-dev
dpkg-dev:
  Installed: 1.17.13
  Candidate: 1.17.13
  Package pin: 1.17.13
  Version table:
     1.17.15 1000
        500 http://http.debian.net/debian/ sid/main i386 Packages
 *** 1.17.13 1000
        100 /var/lib/dpkg/status

Regardless of how the pin is specified, cupt still decides to upgrade
dpkg-dev due to libdpkg-perl having a lock-step Depends on dpkg-dev,
although at different scores.

With the version selector in the pin:
D: (0:0) problem (3:1): <user requests> <not installed>: custom: upgrade libdpkg-perl
D: (0:0) -> (1,Δ:[uw=-460]) trying: '' -> 'unsatisfied custom: upgrade libdpkg-perl'
D: (0:0) -> (2,Δ:[401v/u/pp=539]) trying: 'libdpkg-perl 1.17.13^installed' -> 'libdpkg-perl 1.17.15'
D: (0:0) -> (3,Δ:[-200v/r/ra/2pp=-764]) trying: 'libdpkg-perl 1.17.13^installed' -> 'libdpkg-perl <not installed>'
D:  (2:539) problem (5:2): dpkg-dev 1.17.13^installed: depends 'libdpkg-perl (= 1.17.13)'
D: ignoring soft dependency relation: dpkg-dev 1.17.15: recommends 'libalgorithm-merge-perl'
D:   (2:539) -> (4,Δ:[-499v/u=-359]) trying: 'dpkg-dev 1.17.13^installed' -> 'dpkg-dev 1.17.15'
D:   (4:180) finished

Without the version selector:
D: (0:0) problem (3:1): <user requests> <not installed>: custom: upgrade libdpkg-perl
D: (0:0) -> (1,Δ:[uw=-460]) trying: '' -> 'unsatisfied custom: upgrade libdpkg-perl'
D: (0:0) -> (2,Δ:[401v/u/pp=539]) trying: 'libdpkg-perl 1.17.13^installed' -> 'libdpkg-perl 1.17.15'
D: (0:0) -> (3,Δ:[-200v/r/ra/2pp=-764]) trying: 'libdpkg-perl 1.17.13^installed' -> 'libdpkg-perl <not installed>'
D:  (2:539) problem (5:2): dpkg-dev 1.17.13^installed: depends 'libdpkg-perl (= 1.17.13)'
D: ignoring soft dependency relation: dpkg-dev 1.17.15: recommends 'libalgorithm-merge-perl'
D:  (2:539) -> (4,Δ:[-200v/r=-1960]) trying: 'dpkg-dev 1.17.13^installed' -> 'dpkg-dev <not installed>'
D:  (2:539) -> (5,Δ:[401v/u/pp=539]) trying: 'dpkg-dev 1.17.13^installed' -> 'dpkg-dev 1.17.15'

I can split this part out to a separate bug if you'd like.

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.16-2-486
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libcupt3-0 depends on:
ii  libc6           2.19-11
ii  libcupt-common  2.8.3
ii  libgcc1         1:4.9.1-16
ii  libgcrypt20     1.6.2-4
ii  libstdc++6      4.9.1-16

Versions of packages libcupt3-0 recommends:
ii  bzip2                           1.0.6-7
ii  ed                              1.10-2
ii  gpgv                            1.4.18-4
ii  libcupt3-0-downloadmethod-curl  2.8.3

Versions of packages libcupt3-0 suggests:
ii  cupt             2.8.3
pn  debdelta         <none>
ii  dpkg-dev         1.17.13
pn  dpkg-repack      <none>
ii  xz-utils [lzma]  5.1.1alpha+20120614-2

-- no debconf information