[DSE-Dev] Bug#1055921: libsepol2: move libsepol.so.2 to /usr

Helmut Grohne helmut at subdivi.de
Tue Nov 14 09:39:17 GMT 2023 

Source: libsepol
Version: 3.5-1
Severity: normal
Tags: patch
User: helmutg at debian.org
Usertags: dep17m2
X-Debbugs-Cc: vorlon at debian.org

We want to finalize the /usr-merge transition via DEP17[1]. For
libsepol, this means moving all remaining files from aliased directories
in / to /usr. There only is libsepol.so.2 in package libsepol2. Until
recently, such a move was prohibited by the file move moratorium. This
has now been delegated to https://wiki.debian.org/UsrMerge. We still
must be careful, because libsepol is part of the debootstrap
--variant=minbase set.

DEP17 gives us a template of problems to watch out for. P1 is not
relevant now, but may become relevant via the 2038 transition. In the
process, libsepol2 may be renamed to libsepol2t64 keeping the soname. In
an upgrade from bookworm to trixie, libsepol.so.2 would thus move from /
to /usr and from libsepol2 to libsepol2t64 triggering the file loss
scenario that the moratorium meant to prevent. Therefore, please upload
the time64 change to experimental first and let it wait for at least
three days. We might get away with upgrading Breaks to Conflicts (DEP17
M7), but we probably should use protective diversions (DEP17 M8) instead
to avoid making the upgrade too hard for apt. Problem classes P2, P3,
P4, P5, P6 do not apply. P7 does not apply, because libsepol.so.2 is
installed to an architecture-dependent path. I locally verified that
this change does not impact debootstrap (P8). P9 will be handled
elsewhere and P10 is not a problem, because /usr/lib/$multiarch is on
the default library search path even on unmerged systems.

Therefore I think we're good to go ahead.

I'm attaching a patch that enables dh_movetousr. This is not a long-term
solution. Eventually, you want to adjust the path in the packaging, but
we must not do so in bookworm-backports. dh_movetousr will take care of
becoming a noop in bookworm-backports. If you think backporting is not
relevant to libsepol, consider changing paths directly instead.

Helmut

[1] https://subdivi.de/~helmut/dep17.html
-------------- next part --------------
diff --minimal -Nru libsepol-3.5/debian/changelog libsepol-3.5/debian/changelog
--- libsepol-3.5/debian/changelog	2023-07-08 22:44:16.000000000 +0200
+++ libsepol-3.5/debian/changelog	2023-11-14 10:23:22.000000000 +0100
@@ -1,3 +1,10 @@
+libsepol (3.5-1.1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Move libsepol.so.2 to /usr. (Closes: #-1)
+
+ -- Helmut Grohne <helmut at subdivi.de>  Tue, 14 Nov 2023 10:23:22 +0100
+
 libsepol (3.5-1) unstable; urgency=medium
 
   * New upstream release
diff --minimal -Nru libsepol-3.5/debian/control libsepol-3.5/debian/control
--- libsepol-3.5/debian/control	2023-07-08 22:44:16.000000000 +0200
+++ libsepol-3.5/debian/control	2023-11-14 10:23:22.000000000 +0100
@@ -6,7 +6,7 @@
 Maintainer: Debian SELinux maintainers <selinux-devel at lists.alioth.debian.org>
 Uploaders: Laurent Bigonville <bigon at debian.org>, Russell Coker <russell at coker.com.au>
 Standards-Version: 4.6.2
-Build-Depends: debhelper-compat (= 13), file, flex
+Build-Depends: debhelper-compat (= 13), dh-sequence-movetousr, file, flex
 Homepage: https://selinuxproject.org
 Rules-Requires-Root: no

More information about the SELinux-devel mailing list