[Pkg-libvirt-maintainers] Bug#1064126: Bug#1064126: libvirt: install NSS modules into /usr

Sun Sep 1 16:17:28 BST 2024

On Fri, Aug 30, 2024 at 09:38:46PM +0200, Helmut Grohne wrote:
> On Fri, Aug 30, 2024 at 09:19:08PM +0200, Andrea Bolognani wrote:
> > I disagree on the check being useless in general though. The
> > diversion should only be created when upgrading from a version of
> > libvirt that was not usr-merged to one that is; when upgrading from a
> > version that is already usr-merged, we should do nothing.
> > 
> > So the correct check should be
> > 
> >   if [ -n "$2" ] && dpkg --compare-versions -- "$2" gt "$lastver"; then
> >       return 0
> >   fi
> 
> Indeed. If you already are on a moved version, that should work. Please
> keep in mind that when doing this, you must not backport libvirt as
> bookworm (including bookworm-backports) need to have systemd units in
> aliased locations as otherwise debhelper will fail to generate
> maintainer scripts.

We've already effectively ruled out backports to bookworm when we
decided to move unit files using the straightforward method instead
of investigating dh_movetousr, so this is understood.

> So the $lastver should be the last version that ever
> becomes part of any bookworm release. To accommodate security updates, I
> recommend changing it to `ge "$firstver"`.

Well I just got it wrong the second time around too O:-)

The {create,delete}_protective_diversion() functions don't take
"lastver" as argument, so I should have used "firstver" there.

I believe that using "gt" is correct though. It's what we're using in
the other snippets already, and that in turn is based on the advice
present in dpkg-maintscript-helper(1), specifically the part about
the prior-version common parameter.

Checking the actual code for dpkg-maintscript-helper, this is how
that argument is used:

  if [ "$1" = "install" -o "$1" = "upgrade" ] && [ -n "$2" ] &&
     dpkg --compare-versions -- "$2" le-nl "$LASTVERSION"; then
    # perform action
  fi

So if, for built-in operations, the action is performed when

  "$2" le "$LASTVERSION"

it seems right that in our case it would be *skipped* when

  "$2" gt "$firstver"

which is the opposite condition.

In both cases the version number we provide to the script would be
e.g. 10.6.0-3~ for a change happening in 10.6.0-3, which is again
consistent with the advice found in dpkg-maintscript-helper(1).

Do you have any reason to believe "ge" is correct here and "gt" is
not? Otherwise, I'd rather stick with the approach that we've adopted
until now and which has not, at least as far as I'm aware of, caused
any issues so far.

> > I'm not familiar with running piuparts locally. If you can share some
> > brief instructions on how to do that, I'll happily try things out
> > before creating the MR.
> 
> You may just pass a .changes file to piuparts and it'll debootstrap into
> a directory and clean up behind itself. This will not test upgrades, but
> it'll catch the worst of mistakes. piuparts expects to be run as root
> though. You may run unstable piuparts without root by wrapping it in
> 
>     unshare --user --map-auto --setuid 0 --setgid 0 --mount --pid --fork --mount-proc true
> 
> For details refer to
> https://salsa.debian.org/debian/piuparts/-/merge_requests/60. Failing
> that, just upload to experimental and let piuparts.d.o do it.

If this doesn't test upgrades, it doesn't sound like it would be very
useful... Might as well let the service deployed on debian.org do its
thing after the upload to experimental, same as with dumat.

> > I'll work on implementing and testing this over the weekend. I'll
> > update the bug as appropriate.
> 
> Looking forward to your update.

MR here:

  https://salsa.debian.org/libvirt-team/libvirt/-/merge_requests/232

Please take a look.

-- 
Andrea Bolognani <eof at kiyuko.org>
Resistance is futile, you will be garbage collected.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-maintainers/attachments/20240901/97ff625e/attachment.sig>