>>>>> "Neil" == Neil Williams <codeh...@debian.org> writes:
> On Wed, 18 May 2011 15:09:44 +0200
> David Kuehling <dvdkh...@gmx.de> wrote:
> the attached patch (mostly) fixes bug #627179 [1]. Patch is against
>> multistrap SVN head [2].
> The patch looks interesting but incomplete and possibly misleading.
I understand that it's incomplete, but I do not think it is more
'misleading' than the code that it attempts to fix :)
>> The patch misses one occurence of the bug, when multistrap looks at
>> var/lib/dpkg/status looking for Source: headers only (ignoring
>> Version: and Package:). Fixing that feels like beyond my perl
>> skills, and I'm not sure that this whole part is required anyways
>> (it's redandant with checking the downloaded .debs). For now I put a
>> big Todo: comment on top.
> Think about this more carefully. The situation is that multistrap is
> stateless and something can have happened which means that the run
> when the packages are actually downloaded failed at a later stage
> (e.g. in the hooks or setupscript) and then got fixed. So a later run
> of multistrap still needs to go through the status file (because the
> .debs have been unpacked and deleted) to check if some source packages
> still need to be downloaded. apt-get install will check the status
> file and report that it the packages are already at the newest
> version, without downloading anything, so the list has to come from
> somewhere else. i.e. the list of downloaded debs is untrustworthy and
> must be regarded as incomplete.
Ok, if this is the case, then why do we have to collect source packages
(dsclist) at 3 places in multistrap.conf . Won't it be sufficient to
just do it once, when parsing the status file?
>> That said, for me the patch fixes the problem with missing sources
>> for the multistrap.conf I test with.
> More testing required. I hope to get some time to look at this soon
> but it needs a lot more thought.
I'm willing to invest the time to fix it, everything is better than
maintaining my own version of debian stuff.
>> The patch also fixes another bug, not yet reported: multistrap could
>> have fetched source packages versions that differ from the binary
>> package versions.
> That is more about differences in aptsources and debootstrap lines
> than anything to do with specifying the version. I don't think your
> patch actually works here. apt-get source will get the latest, just as
> apt-get install will get the latest. What changes is whether the call
> is made when aptsources are active or when bootstrap sources are
> active. It needs to be bootstrap sources. I'd need to have a real
> example of where apt-get install will download a different version to
> what apt-get source will download for the same sources - that would be
> a bug in apt, not multistrap. (Multistrap creates deb-src lines for
> each source specified, so the versions are expected to be the same
> from deb to deb-src or else there are problems with the archive.)
That's exactly the problem: inconsistent versions in the archive or
archive updates while multistrap runs. With the current implementation
those won't be detected. IMO this is a severe error that can cause
commercial distributors of images real pain due to the resulting GPL
violation.
So what work needs to be done for the patch to be accepted?
- Drop the explicit versioning of source packages?
- Fix the parsing of var/lib/dpkg/status in tidy_apt to use
package-name in case that Source: is not present
- what else did I miss?
cheers,
David
--
GnuPG public key: http://dvdkhlng.users.sourceforge.net/dk.gpg
Fingerprint: B17A DC95 D293 657B 4205 D016 7DEF 5323 C174 7D40
pgpgNDvu4Ikyc.pgp
Description: PGP signature
