[Debian-astro-maintainers] Bug#1076374: libplayeronecamera2t64: ineffective replaces for /usr/lib/udev/rules.d/99-player_one_astronomy.rules causes file loss

Chris Hofstaedtler zeha at debian.org
Mon Jul 15 18:07:37 BST 2024 

Thorsten, Helmut,

On Mon, Jul 15, 2024 at 01:09:09PM +0200, Helmut Grohne wrote:
> Package: libplayeronecamera2t64
> Version: 3.1.0+20221218103507-2
> Severity: serious
[..]
> thank you for applying our /usr-move patches. Unfortunately, this one
> went wrong and it went to unstable rather than experimental.

I'm very sorry this one slipped through. I should have rechecked
this patch after the t64 migration mostly settled.

The following upgrade scenario demonstrates the loss. It may be
possible to construct a simpler scenario. (This needs mmdebstrap 1.5.1-4 or
better.)

mmdebstrap \
  --components="main non-free" \
  --include=libplayeronecamera2 \
  --hook-dir=/usr/share/mmdebstrap/hooks/no-merged-usr \
  --chrooted-customize-hook='rm /etc/unsupported-skip-usrmerge-conversion' \
  --chrooted-customize-hook='apt update' \
  --chrooted-customize-hook='apt install --reinstall -y usrmerge' \
  --chrooted-customize-hook='ls -l /' \
  --chrooted-customize-hook='dpkg -L libplayeronecamera2' \
  --chrooted-customize-hook='sed -i -e s/bookworm/unstable/ -e /unstable-/d  /etc/apt/sources.list' \
  --chrooted-customize-hook='apt update' \
  --chrooted-customize-hook='apt upgrade -y libc6 systemd' \
  --chrooted-customize-hook='cd /tmp && apt download libplayeronecamera2t64' \
  --chrooted-customize-hook='cd /tmp && dpkg --auto-deconfigure --unpack *.deb' \
  --chrooted-customize-hook='dpkg -l libplayerone*' \
  --chrooted-customize-hook='ls -la /lib/udev/rules.d/99-player_one_astronomy.rules' \
  --chrooted-customize-hook='apt install -f -y' \
  --chrooted-customize-hook='dpkg -l libplayerone*' \
  --chrooted-customize-hook='ls -la /lib/udev/rules.d/99-player_one_astronomy.rules' \
  bookworm /dev/null

> If you feel that a stronger mitigation is necessary, I can supply a
> patch adding protective diversions (via maintainer scripts).
> 
> Please let me know your preference. Roughly speaking your options now
> are:
>  * rename the rules file (closing both bugs)
>  * move the rules file to a -common package (closing the -2 bug)
>  * upgrade Replaces to Conflicts (closing the -1 bug)
>  * request diversion-based mitigation (closing the -1 bug)

I'll attach a patch implementing the last option. As you can see this is far
from beautiful. I'd suggest applying the patch _and_ switching
Replaces to Conflicts to be extra safe.

Testing the new version could be done with the same script as above, but
replacing this line:

-  --chrooted-customize-hook='cd /tmp && apt download libplayeronecamera2t64' \
+  --customize-hook='upload '$(pwd)'/libplayeronecamera2t64_3.1.0+20221218103507-2.1_arm64.deb /tmp/new.deb' \

Once again, I'm sorry this slipped through.

Chris

-------------- next part --------------
diff -Nru libplayerone-3.1.0+20221218103507/debian/changelog libplayerone-3.1.0+20221218103507/debian/changelog
--- libplayerone-3.1.0+20221218103507/debian/changelog	2024-07-13 12:36:28.000000000 +0200
+++ libplayerone-3.1.0+20221218103507/debian/changelog	2024-07-15 18:53:25.000000000 +0200
@@ -1,3 +1,10 @@
+libplayerone (3.1.0+20221218103507-2.1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Add DEP17 P1 mitigations. (Closes: #1076374)
+
+ -- Chris Hofstaedtler <zeha at debian.org>  Mon, 15 Jul 2024 18:53:25 +0200
+
 libplayerone (3.1.0+20221218103507-2) unstable; urgency=medium
 
   * upload to unstable
diff -Nru libplayerone-3.1.0+20221218103507/debian/libplayeronecamera2t64.lintian-overrides libplayerone-3.1.0+20221218103507/debian/libplayeronecamera2t64.lintian-overrides
--- libplayerone-3.1.0+20221218103507/debian/libplayeronecamera2t64.lintian-overrides	2024-07-13 12:36:28.000000000 +0200
+++ libplayerone-3.1.0+20221218103507/debian/libplayeronecamera2t64.lintian-overrides	2024-07-15 18:53:25.000000000 +0200
@@ -1,3 +1,7 @@
 # that is the way upstream delivers stuff
 hardening-no-bindnow
 libplayeronecamera2t64: package-name-doesnt-match-sonames libPlayerOneCamera3
+# begin-remove-after: released:trixie
+# DEP17P7 mitigation
+diversion-for-unknown-file lib/udev/rules.d/99-player_one_astronomy.rules [*]
+# end-remove-after
diff -Nru libplayerone-3.1.0+20221218103507/debian/libplayeronecamera2t64.postinst libplayerone-3.1.0+20221218103507/debian/libplayeronecamera2t64.postinst
--- libplayerone-3.1.0+20221218103507/debian/libplayeronecamera2t64.postinst	1970-01-01 01:00:00.000000000 +0100
+++ libplayerone-3.1.0+20221218103507/debian/libplayeronecamera2t64.postinst	2024-07-15 18:53:25.000000000 +0200
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+# begin-remove-after: released:trixie
+if test "$1" = configure; then
+	dpkg-divert --no-rename --package libplayeronecamera2t64 --divert /lib/udev/rules.d/99-player_one_astronomy.rules.usr-is-merged --remove /lib/udev/rules.d/99-player_one_astronomy.rules
+fi
+# end-remove-after
+
+#DEBHELPER#
diff -Nru libplayerone-3.1.0+20221218103507/debian/libplayeronecamera2t64.preinst libplayerone-3.1.0+20221218103507/debian/libplayeronecamera2t64.preinst
--- libplayerone-3.1.0+20221218103507/debian/libplayeronecamera2t64.preinst	1970-01-01 01:00:00.000000000 +0100
+++ libplayerone-3.1.0+20221218103507/debian/libplayeronecamera2t64.preinst	2024-07-15 18:53:25.000000000 +0200
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -e
+
+# begin-remove-after: released:trixie
+if test "$1" = upgrade || test "$1" = install; then
+	dpkg-divert --no-rename --package libplayeronecamera2t64 --divert /lib/udev/rules.d/99-player_one_astronomy.rules.usr-is-merged --add /lib/udev/rules.d/99-player_one_astronomy.rules
+fi
+# end-remove-after
+
+#DEBHELPER#

More information about the Debian-astro-maintainers mailing list