Bug#930519: missing versioned dependencies

Andreas Metzler ametzler at bebt.de
Sat Jun 15 18:30:12 BST 2019 

On 2019-06-14 Marc Haber <mh+debian-packages at zugschlus.de> wrote:
> Package: exim4
[...]
> for some possibly historical reason, the dependencies between the exim
> packages are not versioned. This might lead to the latest security
> updates not being installed if some people just do apt install exim4
> instead of the recommended apt upgrade.

> I think that our packages should more closly depend on each other to
> avoid running an older exim4-daemon with a later exim4-base, forcing
> daemon upgrades even if somebody only upgrades exim4.

Hello Marc,

there are some semi-strict dependencies:
exim4 requires exim4-base from the same Debian source version and one
   of the daemon packages (unversioned)
The daemon packages require exim4-base of at least the same upstream
   version.
exim4-base requires exim4-config and Breaks daemon packages of older
   upstream versions.

So what we currently have is that exim4, -base, and -daemon-* share the
same upstream version and exim4 and -base are built from the same source
(not the same binNMU). 

You are suggesting to version the exim4 -> daemon dependency like this
Depends: exim4-daemon-light (>= ${source:Version}) | 
         exim4-daemon-heavy  (>= ${source:Version}) |
         exim4-daemon-custom (>= ${source:Version}) 

I see two possible downsides:
* Theoretically a dumb dependency-resolver might break upgrades,
  choosing the first alternative instead of checking whether upgrading
  everything fullfills the dependency. I think we can discount this.
* The -daemon-custom situation. I think the main reason why the
  dependencies are as they are is to not enforce a rebuild of
  exim4-daemon-custom for minor (i.e. Debian-revision) changes. This
  made a lot of sense when the packaging changed a lot, i.e. there were
  many uploads that would have produced the same -daemon-custom.
  Nowadays almost every upload includes a new patch from -fixes so it
  might make sense to change this,

cu Andreas
PS: FWIW I do not think the original argument (I did "apt get install
exim4" and am still CVE-xxx vulnerable) is a weak one. Linux packages
often and for a long time have split upstream sources into multiple
binaries. Therefore selective upgrades by "apt-get install somebinary
would often be incomplete. You'll either need to read every DSA en
detail and manually compare the list of upgraded/fixed packages with
installed list or or just do "apt-get upgrade".
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Pkg-exim4-maintainers mailing list