On Thu, Feb 29, 2024 at 08:14:30AM +0100, Helmut Grohne wrote: > Ideally, we'd get a reproducer using > > mmdebstrap SOMERELEASE /dev/null --variant=apt --include=SOMEPACKAGES > --customize-hook='echo SOURCES_LIST_LINE > "$1/etc/apt/sources.list"' > --chrooted-customize-hook="apt-get update" > --chrooted-customize-hook="aptitude dist-upgrade"
mmdebstrap trixie /dev/null --variant=apt --include debian-security-support --customize-hook='sed -i -e s/trixie/sid/ "$1/etc/apt/sources.list"' --chrooted-customize-hook="apt-get update && apt-get install debian-security-support libpam0t64" debian-security-support installs a dpkg.cfg.d snipped that configures a post-invoke action which calls out to runuser. I think what it does is policy-compliant. > Technically speaking, I believe this is a Debian policy 3.8 violation. > runuser is essential and removing libpam0g causes runuser to no longer > work. I'm tentatively upgrading severity hoping that we don't get into a > severity pingpong. Julian Andres Klode also thinks that it is likely to > affect apt. Yes, it does affect apt as we can see above. While the consequences are not really fatal in this case, we still have an essential runuser that happens to not work briefly. I believe pam will have to be reverted and implemented as dual ABI instead. And I really expect the same to hold for libtirpc. We just haven't seen the user reports for that yet as it hasn't built. Helmut
