>>>>> "Neil" == Neil Williams <codeh...@debian.org> writes:
> On Wed, 18 May 2011 15:09:44 +0200 > David Kuehling <dvdkh...@gmx.de> wrote: > the attached patch (mostly) fixes bug #627179 [1]. Patch is against >> multistrap SVN head [2]. > The patch looks interesting but incomplete and possibly misleading. I understand that it's incomplete, but I do not think it is more 'misleading' than the code that it attempts to fix :) >> The patch misses one occurence of the bug, when multistrap looks at >> var/lib/dpkg/status looking for Source: headers only (ignoring >> Version: and Package:). Fixing that feels like beyond my perl >> skills, and I'm not sure that this whole part is required anyways >> (it's redandant with checking the downloaded .debs). For now I put a >> big Todo: comment on top. > Think about this more carefully. The situation is that multistrap is > stateless and something can have happened which means that the run > when the packages are actually downloaded failed at a later stage > (e.g. in the hooks or setupscript) and then got fixed. So a later run > of multistrap still needs to go through the status file (because the > .debs have been unpacked and deleted) to check if some source packages > still need to be downloaded. apt-get install will check the status > file and report that it the packages are already at the newest > version, without downloading anything, so the list has to come from > somewhere else. i.e. the list of downloaded debs is untrustworthy and > must be regarded as incomplete. Ok, if this is the case, then why do we have to collect source packages (dsclist) at 3 places in multistrap.conf . Won't it be sufficient to just do it once, when parsing the status file? >> That said, for me the patch fixes the problem with missing sources >> for the multistrap.conf I test with. > More testing required. I hope to get some time to look at this soon > but it needs a lot more thought. I'm willing to invest the time to fix it, everything is better than maintaining my own version of debian stuff. >> The patch also fixes another bug, not yet reported: multistrap could >> have fetched source packages versions that differ from the binary >> package versions. > That is more about differences in aptsources and debootstrap lines > than anything to do with specifying the version. I don't think your > patch actually works here. apt-get source will get the latest, just as > apt-get install will get the latest. What changes is whether the call > is made when aptsources are active or when bootstrap sources are > active. It needs to be bootstrap sources. I'd need to have a real > example of where apt-get install will download a different version to > what apt-get source will download for the same sources - that would be > a bug in apt, not multistrap. (Multistrap creates deb-src lines for > each source specified, so the versions are expected to be the same > from deb to deb-src or else there are problems with the archive.) That's exactly the problem: inconsistent versions in the archive or archive updates while multistrap runs. With the current implementation those won't be detected. IMO this is a severe error that can cause commercial distributors of images real pain due to the resulting GPL violation. So what work needs to be done for the patch to be accepted? - Drop the explicit versioning of source packages? - Fix the parsing of var/lib/dpkg/status in tidy_apt to use package-name in case that Source: is not present - what else did I miss? cheers, David -- GnuPG public key: http://dvdkhlng.users.sourceforge.net/dk.gpg Fingerprint: B17A DC95 D293 657B 4205 D016 7DEF 5323 C174 7D40
pgpgNDvu4Ikyc.pgp
Description: PGP signature