Package: libxtables12 Version: 1.6.0+snapshot20161117-2 Severity: important Tags: patch
While investigating the libxtables12 transition I noticed that none of the libraries generated by src:iptables produce versioned dependencies in other packages. For example, connman Depends: libxtables11 (without the expected (>= version) qualifier), and systemd Depends: libip4tc0 (again without a (>= version) qualifier). This is problematic because when one of your libraries adds new ABI, and a dependent package such as connman or systemd makes use of that ABI, dpkg will allow the dependent package to be installed with an older library version, which will make it fail to link at runtime. Similarly, the dependent package would be allowed to migrate to testing without its required libraries also being in testing, potentially causing a broken stable release. For iptables itself, there is a shlibs.local file to generate versioned dependencies, but this is ineffective for third-party packages. After libxtables12 has migrated to testing, I would recommend adding a symbols file for each library as described in Policy ยง8.6 <https://www.debian.org/doc/debian-policy/ch-sharedlibs.html#s-sharedlibs-depends>. This should make the shlibs.local file unnecessary. In the proposed symbols files in the attached patch, I have also set the Build-Depends-Package metadata field, so that a versioned build-dependency on libip4tc-dev (>= 1.2.3) would result in a versioned runtime dependency on at least libip4tc0 (>= 1.2.3); this is a useful way to avoid breaking software authors' expectations. Alternatively, if you do not want to maintain symbols files, please use the -V or --version-info option to dh_makeshlibs(1) to generate conservative versioned dependencies. For example, util-linux is an example of this technique. Adding the symbols files reveals some namespace pollution that should probably be fixed upstream: in particular, "int line" was probably not intended to be ABI. Please talk to upstream about making symbols that are not intended to be ABI static, or assigning them hidden visibility. Regards, S -- System Information: Debian Release: stretch/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libxtables12 depends on: ii libc6 2.24-5 libxtables12 recommends no packages. libxtables12 suggests no packages. -- no debconf information
>From 4ba5bcf139d5a3b69984909eb61b1aa7b89935c7 Mon Sep 17 00:00:00 2001 From: Simon McVittie <[email protected]> Date: Tue, 22 Nov 2016 10:11:42 +0000 Subject: [PATCH] Add symbols files for all libraries * Add symbols files for all libraries - d/shlibs.local: remove, obsoleted by symbols files --- debian/changelog | 7 +++++ debian/libip4tc0.symbols | 32 +++++++++++++++++++ debian/libip6tc0.symbols | 32 +++++++++++++++++++ debian/libiptc0.symbols | 2 ++ debian/libxtables12.symbols | 75 +++++++++++++++++++++++++++++++++++++++++++++ debian/shlibs.local | 1 - 6 files changed, 148 insertions(+), 1 deletion(-) create mode 100644 debian/libip4tc0.symbols create mode 100644 debian/libip6tc0.symbols create mode 100644 debian/libiptc0.symbols create mode 100644 debian/libxtables12.symbols delete mode 100644 debian/shlibs.local diff --git a/debian/changelog b/debian/changelog index 84c0925..3c0a8d9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +iptables (1.6.0+snapshot20161117-3.1) UNRELEASED; urgency=medium + + * Add symbols files for all libraries + - d/shlibs.local: remove, obsoleted by symbols files + + -- Simon McVittie <[email protected]> Tue, 22 Nov 2016 09:46:34 +0000 + iptables (1.6.0+snapshot20161117-3) unstable; urgency=medium * [21fdc57] libxtables12: breaks and replaces libxtables11 (Closes: diff --git a/debian/libip4tc0.symbols b/debian/libip4tc0.symbols new file mode 100644 index 0000000..8e1e60b --- /dev/null +++ b/debian/libip4tc0.symbols @@ -0,0 +1,32 @@ +libip4tc.so.0 libip4tc0 #MINVER# +* Build-Depends-Package: libip4tc-dev + dump_entries@Base 1.6.0+snapshot20161117 + iptc_append_entry@Base 1.6.0+snapshot20161117 + iptc_builtin@Base 1.6.0+snapshot20161117 + iptc_check_entry@Base 1.6.0+snapshot20161117 + iptc_commit@Base 1.6.0+snapshot20161117 + iptc_create_chain@Base 1.6.0+snapshot20161117 + iptc_delete_chain@Base 1.6.0+snapshot20161117 + iptc_delete_entry@Base 1.6.0+snapshot20161117 + iptc_delete_num_entry@Base 1.6.0+snapshot20161117 + iptc_first_chain@Base 1.6.0+snapshot20161117 + iptc_first_rule@Base 1.6.0+snapshot20161117 + iptc_flush_entries@Base 1.6.0+snapshot20161117 + iptc_free@Base 1.6.0+snapshot20161117 + iptc_get_policy@Base 1.6.0+snapshot20161117 + iptc_get_references@Base 1.6.0+snapshot20161117 + iptc_get_target@Base 1.6.0+snapshot20161117 + iptc_init@Base 1.6.0+snapshot20161117 + iptc_insert_entry@Base 1.6.0+snapshot20161117 + iptc_is_chain@Base 1.6.0+snapshot20161117 + iptc_next_chain@Base 1.6.0+snapshot20161117 + iptc_next_rule@Base 1.6.0+snapshot20161117 + iptc_ops@Base 1.6.0+snapshot20161117 + iptc_read_counter@Base 1.6.0+snapshot20161117 + iptc_rename_chain@Base 1.6.0+snapshot20161117 + iptc_replace_entry@Base 1.6.0+snapshot20161117 + iptc_set_counter@Base 1.6.0+snapshot20161117 + iptc_set_policy@Base 1.6.0+snapshot20161117 + iptc_strerror@Base 1.6.0+snapshot20161117 + iptc_zero_counter@Base 1.6.0+snapshot20161117 + iptc_zero_entries@Base 1.6.0+snapshot20161117 diff --git a/debian/libip6tc0.symbols b/debian/libip6tc0.symbols new file mode 100644 index 0000000..3c91c28 --- /dev/null +++ b/debian/libip6tc0.symbols @@ -0,0 +1,32 @@ +libip6tc.so.0 libip6tc0 #MINVER# +* Build-Depends-Package: libip6tc-dev + dump_entries6@Base 1.6.0+snapshot20161117 + ip6tc_append_entry@Base 1.6.0+snapshot20161117 + ip6tc_builtin@Base 1.6.0+snapshot20161117 + ip6tc_check_entry@Base 1.6.0+snapshot20161117 + ip6tc_commit@Base 1.6.0+snapshot20161117 + ip6tc_create_chain@Base 1.6.0+snapshot20161117 + ip6tc_delete_chain@Base 1.6.0+snapshot20161117 + ip6tc_delete_entry@Base 1.6.0+snapshot20161117 + ip6tc_delete_num_entry@Base 1.6.0+snapshot20161117 + ip6tc_first_chain@Base 1.6.0+snapshot20161117 + ip6tc_first_rule@Base 1.6.0+snapshot20161117 + ip6tc_flush_entries@Base 1.6.0+snapshot20161117 + ip6tc_free@Base 1.6.0+snapshot20161117 + ip6tc_get_policy@Base 1.6.0+snapshot20161117 + ip6tc_get_references@Base 1.6.0+snapshot20161117 + ip6tc_get_target@Base 1.6.0+snapshot20161117 + ip6tc_init@Base 1.6.0+snapshot20161117 + ip6tc_insert_entry@Base 1.6.0+snapshot20161117 + ip6tc_is_chain@Base 1.6.0+snapshot20161117 + ip6tc_next_chain@Base 1.6.0+snapshot20161117 + ip6tc_next_rule@Base 1.6.0+snapshot20161117 + ip6tc_ops@Base 1.6.0+snapshot20161117 + ip6tc_read_counter@Base 1.6.0+snapshot20161117 + ip6tc_rename_chain@Base 1.6.0+snapshot20161117 + ip6tc_replace_entry@Base 1.6.0+snapshot20161117 + ip6tc_set_counter@Base 1.6.0+snapshot20161117 + ip6tc_set_policy@Base 1.6.0+snapshot2016111 + ip6tc_strerror@Base 1.6.0+snapshot20161117 + ip6tc_zero_counter@Base 1.6.0+snapshot20161117 + ip6tc_zero_entries@Base 1.6.0+snapshot20161117 diff --git a/debian/libiptc0.symbols b/debian/libiptc0.symbols new file mode 100644 index 0000000..723fb17 --- /dev/null +++ b/debian/libiptc0.symbols @@ -0,0 +1,2 @@ +libiptc.so.0 libiptc0 #MINVER# +* Build-Depends-Package: libiptc-dev diff --git a/debian/libxtables12.symbols b/debian/libxtables12.symbols new file mode 100644 index 0000000..39db048 --- /dev/null +++ b/debian/libxtables12.symbols @@ -0,0 +1,75 @@ +libxtables.so.12 libxtables12 #MINVER# +* Build-Depends-Package: libxtables-dev + afinfo@Base 1.6.0+snapshot20161117 + basic_exit_err@Base 1.6.0+snapshot20161117 + get_kernel_version@Base 1.6.0+snapshot20161117 + kernel_version@Base 1.6.0+snapshot20161117 + line@Base 1.6.0+snapshot20161117 + xt_params@Base 1.6.0+snapshot20161117 + xt_xlate_add@Base 1.6.0+snapshot20161117 + xt_xlate_add_comment@Base 1.6.0+snapshot20161117 + xt_xlate_alloc@Base 1.6.0+snapshot20161117 + xt_xlate_free@Base 1.6.0+snapshot20161117 + xt_xlate_get@Base 1.6.0+snapshot20161117 + xt_xlate_get_comment@Base 1.6.0+snapshot20161117 + xtables_calloc@Base 1.6.0+snapshot20161117 + xtables_chain_protos@Base 1.6.0+snapshot20161117 + xtables_compatible_revision@Base 1.6.0+snapshot20161117 + xtables_find_match@Base 1.6.0+snapshot20161117 + xtables_find_target@Base 1.6.0+snapshot20161117 + xtables_free_opts@Base 1.6.0+snapshot20161117 + xtables_init@Base 1.6.0+snapshot20161117 + xtables_init_all@Base 1.6.0+snapshot20161117 + xtables_insmod@Base 1.6.0+snapshot20161117 + xtables_ip6addr_to_anyname@Base 1.6.0+snapshot20161117 + xtables_ip6addr_to_numeric@Base 1.6.0+snapshot20161117 + xtables_ip6mask_to_cidr@Base 1.6.0+snapshot20161117 + xtables_ip6mask_to_numeric@Base 1.6.0+snapshot20161117 + xtables_ip6parse_any@Base 1.6.0+snapshot20161117 + xtables_ip6parse_multiple@Base 1.6.0+snapshot20161117 + xtables_ipaddr_to_anyname@Base 1.6.0+snapshot20161117 + xtables_ipaddr_to_numeric@Base 1.6.0+snapshot20161117 + xtables_ipmask_to_cidr@Base 1.6.0+snapshot20161117 + xtables_ipmask_to_numeric@Base 1.6.0+snapshot20161117 + xtables_ipparse_any@Base 1.6.0+snapshot20161117 + xtables_ipparse_multiple@Base 1.6.0+snapshot20161117 + xtables_lmap_free@Base 1.6.0+snapshot20161117 + xtables_lmap_id2name@Base 1.6.0+snapshot20161117 + xtables_lmap_init@Base 1.6.0+snapshot20161117 + xtables_lmap_name2id@Base 1.6.0+snapshot20161117 + xtables_load_ko@Base 1.6.0+snapshot20161117 + xtables_malloc@Base 1.6.0+snapshot20161117 + xtables_matches@Base 1.6.0+snapshot20161117 + xtables_merge_options@Base 1.6.0+snapshot20161117 + xtables_modprobe_program@Base 1.6.0+snapshot20161117 + xtables_numeric_to_ip6addr@Base 1.6.0+snapshot20161117 + xtables_numeric_to_ipaddr@Base 1.6.0+snapshot20161117 + xtables_numeric_to_ipmask@Base 1.6.0+snapshot20161117 + xtables_option_metavalidate@Base 1.6.0+snapshot20161117 + xtables_option_mfcall@Base 1.6.0+snapshot20161117 + xtables_option_mpcall@Base 1.6.0+snapshot20161117 + xtables_option_parse@Base 1.6.0+snapshot20161117 + xtables_option_tfcall@Base 1.6.0+snapshot20161117 + xtables_option_tpcall@Base 1.6.0+snapshot20161117 + xtables_options_fcheck@Base 1.6.0+snapshot20161117 + xtables_options_xfrm@Base 1.6.0+snapshot20161117 + xtables_param_act@Base 1.6.0+snapshot20161117 + xtables_parse_interface@Base 1.6.0+snapshot20161117 + xtables_parse_port@Base 1.6.0+snapshot20161117 + xtables_parse_protocol@Base 1.6.0+snapshot20161117 + xtables_pending_matches@Base 1.6.0+snapshot20161117 + xtables_pending_targets@Base 1.6.0+snapshot20161117 + xtables_print_num@Base 1.6.0+snapshot20161117 + xtables_realloc@Base 1.6.0+snapshot20161117 + xtables_register_match@Base 1.6.0+snapshot20161117 + xtables_register_matches@Base 1.6.0+snapshot20161117 + xtables_register_target@Base 1.6.0+snapshot20161117 + xtables_register_targets@Base 1.6.0+snapshot20161117 + xtables_rule_matches_free@Base 1.6.0+snapshot20161117 + xtables_save_string@Base 1.6.0+snapshot20161117 + xtables_service_to_port@Base 1.6.0+snapshot20161117 + xtables_set_nfproto@Base 1.6.0+snapshot20161117 + xtables_set_params@Base 1.6.0+snapshot20161117 + xtables_strtoui@Base 1.6.0+snapshot20161117 + xtables_strtoul@Base 1.6.0+snapshot20161117 + xtables_targets@Base 1.6.0+snapshot20161117 diff --git a/debian/shlibs.local b/debian/shlibs.local deleted file mode 100644 index 69d5ca1..0000000 --- a/debian/shlibs.local +++ /dev/null @@ -1 +0,0 @@ -libxtables 12 libxtables12 (>= 1.6.0+snapshot20161117) -- 2.10.2
