[Debian-astro-maintainers] Bug#1076374: libplayeronecamera2t64: ineffective replaces for /usr/lib/udev/rules.d/99-player_one_astronomy.rules causes file loss

Tue Jul 16 08:22:50 BST 2024

Hi Thorsten and Chris,

On Mon, Jul 15, 2024 at 07:07:37PM +0200, Chris Hofstaedtler wrote:
> The following upgrade scenario demonstrates the loss. It may be
> possible to construct a simpler scenario. (This needs mmdebstrap 1.5.1-4 or
> better.)

Thank you.

> mmdebstrap \
>   --components="main non-free" \
>   --include=libplayeronecamera2 \
>   --hook-dir=/usr/share/mmdebstrap/hooks/no-merged-usr \
>   --chrooted-customize-hook='rm /etc/unsupported-skip-usrmerge-conversion' \
>   --chrooted-customize-hook='apt update' \
>   --chrooted-customize-hook='apt install --reinstall -y usrmerge' \

Unless I am mistaken, I think your reproducer can be simplified by
dropping the no-merged-usr hook as well as installing usrmerge.

>   --chrooted-customize-hook='ls -l /' \
>   --chrooted-customize-hook='dpkg -L libplayeronecamera2' \
>   --chrooted-customize-hook='sed -i -e s/bookworm/unstable/ -e /unstable-/d  /etc/apt/sources.list' \
>   --chrooted-customize-hook='apt update' \
>   --chrooted-customize-hook='apt upgrade -y libc6 systemd' \
>   --chrooted-customize-hook='cd /tmp && apt download libplayeronecamera2t64' \
>   --chrooted-customize-hook='cd /tmp && dpkg --auto-deconfigure --unpack *.deb' \
>   --chrooted-customize-hook='dpkg -l libplayerone*' \
>   --chrooted-customize-hook='ls -la /lib/udev/rules.d/99-player_one_astronomy.rules' \
>   --chrooted-customize-hook='apt install -f -y' \
>   --chrooted-customize-hook='dpkg -l libplayerone*' \
>   --chrooted-customize-hook='ls -la /lib/udev/rules.d/99-player_one_astronomy.rules' \
>   bookworm /dev/null

Let me point out that this is not how people usually install packages.
There is a reason that we use apt download and dpkg there as there is no
known way to provoke this with apt yet.

> > If you feel that a stronger mitigation is necessary, I can supply a
> > patch adding protective diversions (via maintainer scripts).
> > 
> > Please let me know your preference. Roughly speaking your options now
> > are:
> >  * rename the rules file (closing both bugs)
> >  * move the rules file to a -common package (closing the -2 bug)
> >  * upgrade Replaces to Conflicts (closing the -1 bug)
> >  * request diversion-based mitigation (closing the -1 bug)
> 
> I'll attach a patch implementing the last option. As you can see this is far
> from beautiful. I'd suggest applying the patch _and_ switching
> Replaces to Conflicts to be extra safe.

Let me be extra clear: Your patch is not a solution on its own as
technicallly speaking you can still unpack (but not configure)
libplayeronecamera2 after having installed libplayeronecamera2t64 (and
thus the protective diversions having been removed). As is, the patch is
only complete when added to the Conflicts.

Given that systemd opted for not including the stronger mitigation in
its own packages (and just using Conflicts), I am not convinced that the
added maintenance cost of the protective diversions is justified. We'll
have to provide post-upgrade checking tools anyway and ask users to
reinstall broken packages.

Helmut