Bug#999738: runtime deps on -dev library symlinks not caught
Hi Bdale, On Thu, Nov 18, 2021 at 2:20 PM Bdale Garbee wrote: > > I don't know if lintian already tries to parse any scheme source. We do not, currently. > just close this as I don't think it's worth chasing. For now, I would like to offer you this research tag. [1] The output will not appear on our website or be shown to any users, but you could (relatively soon) access archive-wide results via our JSON interface. [2] We would then try to refine the tag for public consumption together. What do you think, please? Kind regards Felix Lechner [1] https://salsa.debian.org/lintian/lintian/-/merge_requests/382 [2] https://lintian.debian.org/query
Bug#999738: runtime deps on -dev library symlinks not caught
Felix Lechner writes:
> Do you have the output of 'readelf --all --wide' [1] for one of those
> binaries?
The elf library binaries delivered by the package actually look fine.
Digging further, it appears the problem cases are all in guile code,
where the function dynamic-link is handed a token like 'libglib-2.0':
(define libglib (dynamic-link "libglib-2.0"))
This guile code gets "compiled" on the first invocation of the
application and cached in ~/.cache/guile. The problem is that at
runtime, that function call results in an attempt to load
'libglib-2.0.so' which fails if the -dev package isn't installed.
I'm fixing those with Makefile.am changes like:
-LIBGLIB=libglib-2.0
+LIBGLIB := $(shell /sbin/ldconfig -p | awk '/libglib-2.0.so\./ { print $$1
}')
That changes the guile code to look like:
(define libglib (dynamic-link "libglib-2.0.so.0"))
which works as desired at runtime, since that symlink is provided by the
binary library package.
So .. I'm not sure how good the return on investment of trying to add a
test for this in lintian would be. Talking to upstream about it, the
approach I'm using in Makefile.am seems credible and they make just take
that in. There's no indication the dynamic-link function in guile is
going to get any "smarter", so Makefile.am is probably the right place
to fix the problem.
> Your condition involves sonames that I believe are customarily
> provided by links in '-dev' installables instead of regular shared
> library packages.
Exactly.
> What do you think, please? Thanks!
I don't know if lintian already tries to parse any scheme source. If
not, just close this as I don't think it's worth chasing. If it does,
we could perhaps add a test for the dynamic-link function being handed a
token without '.so.0' in it, or something?
Bdale
signature.asc
Description: PGP signature
Bug#999738: runtime deps on -dev library symlinks not caught
Hi Bdale,
On Mon, Nov 15, 2021 at 11:06 AM Bdale Garbee wrote:
>
> Makefile.am ... resulted in binaries ... having
> a run-time dependency on the symlinks provided in the library -dev
> package instead of the ".0" version .. in the
> actual library packages.
Do you have the output of 'readelf --all --wide' [1] for one of those binaries?
I am especially interested in the NEEDED field from the "Dynamic
Section." [2][3] The tag 'undeclared-elf-prerequisites' [4] can
probably be expanded to cover your condition of insufficient
prerequisites (instead of none at all).
Your condition involves sonames that I believe are customarily
provided by links in '-dev' installables instead of regular shared
library packages.
I would adjust that logic there. [5] In particular, I would refine the
conditional:
if @{$item->elf->{NEEDED} // [] }
&& $depends->is_empty;
What do you think, please? Thanks!
Kind regards
Felix Lechner
[1]
https://salsa.debian.org/lintian/lintian/-/blob/master/lib/Lintian/Index/Elf.pm#L85
[2]
https://salsa.debian.org/lintian/lintian/-/blob/master/lib/Lintian/Index/Elf.pm#L215
[3]
https://salsa.debian.org/lintian/lintian/-/blob/master/lib/Lintian/Index/Elf.pm#L445
[4]
https://salsa.debian.org/lintian/lintian/-/blob/master/tags/u/undeclared-elf-prerequisites.tag
[5]
https://salsa.debian.org/lintian/lintian/-/blob/master/lib/Lintian/Check/Binaries/Prerequisites.pm#L108-113
Bug#999738: runtime deps on -dev library symlinks not caught
Package: lintian Severity: wishlist I've had a couple bugs recently, including 999699, where upstream Makefile.am content has resulted in binaries delivered in a .deb having a run-time dependency on the symlinks provided in the library -dev package instead of the ".0" version of those files provided in the actual library packages. It would be nice if lintian were to notice and warn about these cases, particularly if the -dev package isn't explicitly specified as a binary package dependency (as it probably shouldn't be in most cases?). Bdale signature.asc Description: PGP signature
