Bug#930519: missing versioned dependencies

Marc Haber mh+debian-packages at zugschlus.de
Sun Jun 16 20:10:25 BST 2019 

On Sat, Jun 15, 2019 at 07:30:12PM +0200, Andreas Metzler wrote:
> On 2019-06-14 Marc Haber <mh+debian-packages at zugschlus.de> wrote:
> there are some semi-strict dependencies:
> exim4 requires exim4-base from the same Debian source version and one
>    of the daemon packages (unversioned)
> The daemon packages require exim4-base of at least the same upstream
>    version.
> exim4-base requires exim4-config and Breaks daemon packages of older
>    upstream versions.
> 
> So what we currently have is that exim4, -base, and -daemon-* share the
> same upstream version and exim4 and -base are built from the same source
> (not the same binNMU). 

Yes, that means that only updating exim4 will not pull the daemon.

> You are suggesting to version the exim4 -> daemon dependency like this
> Depends: exim4-daemon-light (>= ${source:Version}) | 
>          exim4-daemon-heavy  (>= ${source:Version}) |
>          exim4-daemon-custom (>= ${source:Version}) 

Yes.

> I see two possible downsides:
> * Theoretically a dumb dependency-resolver might break upgrades,
>   choosing the first alternative instead of checking whether upgrading
>   everything fullfills the dependency. I think we can discount this.
> * The -daemon-custom situation. I think the main reason why the
>   dependencies are as they are is to not enforce a rebuild of
>   exim4-daemon-custom for minor (i.e. Debian-revision) changes. This
>   made a lot of sense when the packaging changed a lot, i.e. there were
>   many uploads that would have produced the same -daemon-custom.
>   Nowadays almost every upload includes a new patch from -fixes so it
>   might make sense to change this,

I think that the usage of the -custom stuff is infinitesimally small.
Heck, even I stopped doing this years ago. People doing this will most
probably follow security themselves, and since they're building
themselves anyway, can relax the versioned dependencies.

> PS: FWIW I do not think the original argument (I did "apt get install
> exim4" and am still CVE-xxx vulnerable) is a weak one. Linux packages
> often and for a long time have split upstream sources into multiple
> binaries. Therefore selective upgrades by "apt-get install somebinary
> would often be incomplete. You'll either need to read every DSA en
> detail and manually compare the list of upgraded/fixed packages with
> installed list or or just do "apt-get upgrade".

I do agree that the original issue is mainly a user error (the advisory
says "update your exim4 packages" (plural)). I am wondering whether we
can something to leverage for stupid users.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

More information about the Pkg-exim4-maintainers mailing list