Your message dated Tue, 12 Dec 2023 15:46:03 +0100
with message-id <20231212144603.ga68...@subdivi.de>
and subject line Re: busybox: possible file loss during upgrade arising from 
/usr-merge
has caused the Debian Bug report #1057219,
regarding busybox: possible file loss during upgrade arising from /usr-merge
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1057219: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057219
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: busybox
Version: 1:1.36.1-6
Severity: serious
User: helm...@debian.org
Usertags: dep17p1

Hi Chris and Michael,

I am very sorry to tell you that I found a contrieved /usr-merge problem
with the busybox upload. In essence, Conflicts allow for concurrent
unpacks in weired situations. As a consequence, you may miss the busybox
binary if you upgrade from bookworm to trixie and change from
busybox-static to busybox or vice versa in the process. I do not have a
solution at this time and file this bug as a migration blocker. If you
want to get rid of the rc bug, you may upload a revert. Otherwise,
please wait until we have a better understanding of the problem.

I am filing a detailed report for systemd-sysv with a very similar
issue.

Helmut

--- End Message ---
--- Begin Message ---
Hi,

On Fri, Dec 01, 2023 at 07:07:20PM +0100, Helmut Grohne wrote:
> I am very sorry to tell you that I found a contrieved /usr-merge problem
> with the busybox upload. In essence, Conflicts allow for concurrent
> unpacks in weired situations. As a consequence, you may miss the busybox
> binary if you upgrade from bookworm to trixie and change from
> busybox-static to busybox or vice versa in the process. I do not have a
> solution at this time and file this bug as a migration blocker. If you
> want to get rid of the rc bug, you may upload a revert. Otherwise,
> please wait until we have a better understanding of the problem.

We now have a better understanding.

In particular, the loss scenario requires "scheduling a package for
removal" using "dpkg --set-selections" and then unpacking a conflicting
package. apt only ever does this when it has to perform a temporary
removal. The only known scenario where this was observed for real is
when two packages are upgraded and the updated versions mutualy conflict
with old versions of one another. This is not the case for busybox and
also not for openresolv. For systemd, we will be restoring lost files in
postinst. If we ever encounter real loss scenarios for either package,
it can be mitigated as follows:

1. Identify all of the lost files.
2. For all regular files, create backup copies in your package in the
   data.tar. I suggest to use hard links to avoid increasing the package
   size.
3. In postinst check for absence of any lost file and restore it from
   the backup copy.

In case the lost file is not a regular file, no backup copy is
necessary. Directories and symbolic links can be restored directly.

This mitigation needs to be in effect until the trixie release and then
can be removed.

I am now closing these bugs, because apt handles the multiple
providers-for-the-same-facility situation without temporary removals.
For instance, if you have a bookworm systemd with busybox and miniramfs
(an arbitrary package that happens to depend on busybox). Then you
change your sources to sid (which has a /usr-moved busybox) and apt
install busybox-static (thus changing provider). Then apt will remove
busybox (from bookworm with files in /sbin) before installing
busybox-static (from sid with files in /usr/sbin) hence not causing the
loss scenario. What I'm saying about busybox here likewise holds for
openresolv.

The way to experience this loss appears to require using dpkg directly
and we consider that sufficiently unlikely that we don't handle this
case. The release-notes already require upgrades to be performed with
apt and we can add an additional warning about this case.

Helmut

--- End Message ---

Reply via email to