Bug#531556: Bug#470154: Bug#531556: upgrade problem with the proposed libarchive-tar-perl Etch update
On Mon, 13 Jul 2009 21:39:58 +0300, Niko Tyni wrote: > > > Even if it can't be re-uploaded with a lower version number, leaving > > > this small security fix (it was not worth a DSA) out of the oldstable > > > update altogether would be preferrable to the breakage IMO. > > Ok, then please file a bugreport against ftp.debian.org. > Gregor, is this OK by you? > (dropping -release from the cc's) Sure, please go ahead! Cheers, gregor -- .''`. http://info.comodo.priv.at/ -- GPG Key IDs: 0x00F3CFE4, 0x8649AA06 : :' : Debian GNU/Linux user, admin, & developer - http://www.debian.org/ `. `' Member of VIBE!AT, SPI Inc., fellow of FSFE | http://got.to/quote/ `-BOFH excuse #162: bugs in the RAID signature.asc Description: Digital signature
Bug#531556: Bug#470154: Bug#531556: upgrade problem with the proposed libarchive-tar-perl Etch update
On Sun, Jul 12, 2009 at 11:18:23PM +0200, Luk Claes wrote: > Niko Tyni wrote: > > Is it possible to remove 1.38-3~etch1 from oldstable-proposed-updates? > > Yes, that's possible via a bugreport against ftp.debian.org. It would > not be possible to upload a lower version though. > > > Even if it can't be re-uploaded with a lower version number, leaving > > this small security fix (it was not worth a DSA) out of the oldstable > > update altogether would be preferrable to the breakage IMO. > > Ok, then please file a bugreport against ftp.debian.org. Gregor, is this OK by you? (dropping -release from the cc's) -- Niko -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#531556: upgrade problem with the proposed libarchive-tar-perl Etch update
Niko Tyni wrote:
> On Sat, Jul 11, 2009 at 01:50:56PM +0200, Luk Claes wrote:
>> Niko Tyni wrote:
>>> On Thu, Jun 04, 2009 at 10:19:38AM +0300, Niko Tyni wrote:
>>>
Oldstable release managers: will you accept a libarchive-tar-perl
1.38-3~etch2 upload with the diversions added, or can you suggest
another fix? What's the schedule for the Etch r9 release?
>> Introducing diversions in a point release is a no go IMHO.
>>
>> As the Conflicts entry did not leave room for any update, that's the bug
>> that should be fixed IMHO.
>
> I disagree it's a bug and there was plenty of room between 1.30-2 and 1.38-2.
> But never mind that.
>
> As we can only update the Lenny Conflicts entry for 5.0.3, that leaves
> broken upgrades from Etch r9 to Lenny 5.0.{0,1,2}. Is this really acceptable?
>
> Is it possible to remove 1.38-3~etch1 from oldstable-proposed-updates?
Yes, that's possible via a bugreport against ftp.debian.org. It would
not be possible to upload a lower version though.
> Even if it can't be re-uploaded with a lower version number, leaving
> this small security fix (it was not worth a DSA) out of the oldstable
> update altogether would be preferrable to the breakage IMO.
Ok, then please file a bugreport against ftp.debian.org.
Cheers
Luk
PS: I'm Bcc-ing the Security Team on this.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#531556: upgrade problem with the proposed libarchive-tar-perl Etch update
On Sat, Jul 11, 2009 at 01:50:56PM +0200, Luk Claes wrote:
> Niko Tyni wrote:
> > On Thu, Jun 04, 2009 at 10:19:38AM +0300, Niko Tyni wrote:
> >
> >> Oldstable release managers: will you accept a libarchive-tar-perl
> >> 1.38-3~etch2 upload with the diversions added, or can you suggest
> >> another fix? What's the schedule for the Etch r9 release?
>
> Introducing diversions in a point release is a no go IMHO.
>
> As the Conflicts entry did not leave room for any update, that's the bug
> that should be fixed IMHO.
I disagree it's a bug and there was plenty of room between 1.30-2 and 1.38-2.
But never mind that.
As we can only update the Lenny Conflicts entry for 5.0.3, that leaves
broken upgrades from Etch r9 to Lenny 5.0.{0,1,2}. Is this really acceptable?
Is it possible to remove 1.38-3~etch1 from oldstable-proposed-updates?
Even if it can't be re-uploaded with a lower version number, leaving
this small security fix (it was not worth a DSA) out of the oldstable
update altogether would be preferrable to the breakage IMO.
> It's mentioned in the TODO.
Thanks.
--
Niko Tyni nt...@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#531556: upgrade problem with the proposed libarchive-tar-perl Etch update
Niko Tyni wrote: > On Thu, Jun 04, 2009 at 10:19:38AM +0300, Niko Tyni wrote: > >> Oldstable release managers: will you accept a libarchive-tar-perl >> 1.38-3~etch2 upload with the diversions added, or can you suggest >> another fix? What's the schedule for the Etch r9 release? Introducing diversions in a point release is a no go IMHO. As the Conflicts entry did not leave room for any update, that's the bug that should be fixed IMHO. > Ping? I see 1.38-3~etch1 is still ACCEPTED in oldstable-proposed-updates, > but it would be very unfortunate to have an Etch point release with that. > > I understand the release may not be very soon, but I'm worried > this gets forgotten. Maybe adding a note to the TODO list on top of > http://release.debian.org/proposed-updates/oldstable.html > would suffice to make sure this gets resolved before the release? It's mentioned in the TODO. Cheers Luk -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#531556: upgrade problem with the proposed libarchive-tar-perl Etch update
On Thu, Jun 04, 2009 at 10:19:38AM +0300, Niko Tyni wrote: > Oldstable release managers: will you accept a libarchive-tar-perl > 1.38-3~etch2 upload with the diversions added, or can you suggest > another fix? What's the schedule for the Etch r9 release? Ping? I see 1.38-3~etch1 is still ACCEPTED in oldstable-proposed-updates, but it would be very unfortunate to have an Etch point release with that. I understand the release may not be very soon, but I'm worried this gets forgotten. Maybe adding a note to the TODO list on top of http://release.debian.org/proposed-updates/oldstable.html would suffice to make sure this gets resolved before the release? Thanks for your work, -- Niko Tyni nt...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#531556: upgrade problem with the proposed libarchive-tar-perl Etch update
On Tue, Jun 02, 2009 at 04:05:51PM +0200, Toni Mueller wrote: > On Tue, 02.06.2009 at 15:36:31 +0300, Niko Tyni wrote: > methinks that the by far easiest and cleanest solution would be to > update the perl or perl-modules package in Lenny. That would leave a broken upgrade path from the (future) Etch r9 release to the (base and current) Lenny 5.0.0 and 5.0.1 releases. I don't think that's acceptable, particularly for 5.0.0. > > FWIW, I'd prefer having this fixed inside the libarchive-tar-perl etch > > update, but I can certainly prepare a lenny update for the perl package > > if that turns out to be necessary. > > Since Archive::Tar is afaik already contained in Perl 5.10 via > upstream, there is imho no place for a libarchive-tar-perl package in > Lenny in the first place. Therefore, I don't understand why the > "Replace" clause has a version number. Just removing the version number > and conflicting with all libarchive-tar-perl packages therefore seems > to be the correct solution to me. Minor point: the version number is in the "Conflicts" field, not "Replaces". The Perl policy and packages go to some trouble to ensure that the modules bundled with the core can be overridden by separately packaged newer versions. The conflicts are primarily there to ensure that separately packaged older versions get removed. See for instance the libpod-simple-perl and libmodule-corelist-perl packages, which are both in Lenny despite being contained in the core. Normally, we'd just conflict with libarchive-tar-perl (<< 1.38) or (<< 1.38-1): even if overriding the core 1.38 version with a separate 1.38 package is pointless, there's no harm done. In particular, if somebody wants to package a newer version, like the current 1.48, they should be allowed to. The special thing in this case is /usr/bin/ptar and /usr/bin/ptardiff, which cause file level conflicts. The Lenny perl package has made allowances for those by replacing all the earlier versions of libarchive-tar-perl - they couldn't have known about the file conflict ahead of time. However, the perl package couldn't predict the future either, so it only conflicts with (<= 1.38-2), with the expectation that later versions will use diversions to handle the file conflicts. In hindsight, the choice for the Etch update version (leaping from 1.30-2 to 1.38-3~etch1) was unfortunate, and if it's still possible to revert it, that would be the easy way out. Given it's already in pool/ on the FTP servers, I doubt that. So the only real fix I can see is adding the diversions with 1.38-3~etch2. We can still put out a Lenny perl update to upgrade the Conflicts field, but that's neither sufficient nor necessary. The sid perl version contains additional fixes, and I will update the Conflicts there in any case. Oldstable release managers: will you accept a libarchive-tar-perl 1.38-3~etch2 upload with the diversions added, or can you suggest another fix? What's the schedule for the Etch r9 release? -- Niko Tyni nt...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#531556: Bug#470154: Bug#531556: upgrade problem with the proposed libarchive-tar-perl Etch update
On Tue, 02 Jun 2009 15:36:31 +0300, Niko Tyni wrote:
> The lenny perl-modules package indeed only conflicts on
> libarchive-tar-perl (<= 1.38-2). Quoting Brendan O'Dea in #470154
> (cc'd to notify the pkg-perl folks):
Thanks for the notification.
> > While I can, and have added replaces for versions of libarchive-tar-perl
> > up to and including 1.38-2, you will have to add diversions for ptar and
> > ptardiff (or not include them) in later versions to avoid breaking perl
> > upgrades.
> This did not happen with 1.38-3~etch1.
Ack, I took the last version from unstable before the package was
released, and I missed #470154 ... (1.38-2). Sorry for that.
The code for the diversions was already in svn as 1.38-3 but it was
never released.
> I see three options for a fix:
> - update the lenny perl-modules Conflicts
> - add diversions for /usr/bin/ptar and /usr/bin/ptardiff
> (and their manual pages) in the libarchive-tar-perl etch update
> - re-upload the Etch update with a lower version number (is this even
> possible?), for example 1.38~etch-1 or somesuch
>
> FWIW, I'd prefer having this fixed inside the libarchive-tar-perl etch
> update, but I can certainly prepare a lenny update for the perl package
> if that turns out to be necessary.
I'm happy to help with libarchive-tar-perl but I'd like to wait for a
consensus and the release team's opinion before doing anything.
Cheers,
gregor
--
.''`. Home: http://info.comodo.priv.at/{,blog/} / GPG Key ID: 0x00F3CFE4
: :' : Debian GNU/Linux user, admin, & developer - http://www.debian.org/
`. `' Member of VIBE!AT, SPI Inc., fellow of FSFE | http://got.to/quote/
`-NP: U2: Lemon
signature.asc
Description: Digital signature
Bug#531556: upgrade problem with the proposed libarchive-tar-perl Etch update
Hi Niko, On Tue, 02.06.2009 at 15:36:31 +0300, Niko Tyni wrote: > I see three options for a fix: > - update the lenny perl-modules Conflicts methinks that the by far easiest and cleanest solution would be to update the perl or perl-modules package in Lenny. > FWIW, I'd prefer having this fixed inside the libarchive-tar-perl etch > update, but I can certainly prepare a lenny update for the perl package > if that turns out to be necessary. Since Archive::Tar is afaik already contained in Perl 5.10 via upstream, there is imho no place for a libarchive-tar-perl package in Lenny in the first place. Therefore, I don't understand why the "Replace" clause has a version number. Just removing the version number and conflicting with all libarchive-tar-perl packages therefore seems to be the correct solution to me. -- Kind regards, --Toni++ -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#531556: upgrade problem with the proposed libarchive-tar-perl Etch update
On Tue, Jun 02, 2009 at 01:21:13PM +0200, Julien Cristau wrote: > severity 531556 serious > reassign 531556 perl 5.10.0-19 > retitle 531556 perl needs updated Replaces on libarchive-tar-perl > kthxbye > > On Tue, Jun 2, 2009 at 12:20:44 +0200, Toni Mueller wrote: > > > when I upgraded one of my Etch machines to Lenny, the new Perl 5.10 could > > not > > be installed because it conflicted with libarchive-tar-perl (version > > 1.38-3~etch1) which I had installed. As a consequence, all sorts of package > > managing scripts (debsums etc.pp.) broke, and nothing moved. I was able to > > manuall delete the offending package using dpkg, and get things going again, > > but I don't know if that's within reach of the end user because, at > > that point, the system was mostly non-functional because about half of > > all my packages were not correctly installed. > > > The version of libarchive-tar-perl you had installed is not in etch, > yet. An upgrade from plain etch would have worked. > > Reassigning to perl to hopefully get an updated version in lenny when > the new libarchive-tar-perl gets into etch. Thanks for noticing this. Oldstable release managers: I see libarchive-tar-perl/1.38-3~etch1 is already accepted for etch. Is it still possible to put it on hold until this is sorted out? The lenny perl-modules package indeed only conflicts on libarchive-tar-perl (<= 1.38-2). Quoting Brendan O'Dea in #470154 (cc'd to notify the pkg-perl folks): > While I can, and have added replaces for versions of libarchive-tar-perl > up to and including 1.38-2, you will have to add diversions for ptar and > ptardiff (or not include them) in later versions to avoid breaking perl > upgrades. This did not happen with 1.38-3~etch1. I see three options for a fix: - update the lenny perl-modules Conflicts - add diversions for /usr/bin/ptar and /usr/bin/ptardiff (and their manual pages) in the libarchive-tar-perl etch update - re-upload the Etch update with a lower version number (is this even possible?), for example 1.38~etch-1 or somesuch FWIW, I'd prefer having this fixed inside the libarchive-tar-perl etch update, but I can certainly prepare a lenny update for the perl package if that turns out to be necessary. I'm not sure if we claim to support upgrades from an Etch point release to the base (r0) Lenny release. If we do, this can't really be fixed in perl-modules at all. I think the Archive::Tar code in libarchive-tar-perl/1.38-3~etch1 is supposed to be equivalent to that in perl-modules/5.10.0-19, so it would not be a problem if the separate libarchive-tar-perl package stays on the system when it's later upgraded to Lenny (as would happen with the diversions option.) -- Niko Tyni nt...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
