Package: devscripts
Version: 2.16.7
Severity: important

Dear Maintainer,

using "chdist compare-bin-packages" I was quite surprised to learn not
always the newest version of the respective DIST is taken into account.

How to repeat:

* Create two DISTs, for the sake of this example called "wheezy-plain"
  and "wheezy-security"

# chdist create wheezy-plain
# chdist create wheezy-security

* Populate the respective sources.list as follows

| deb wheezy                  main contrib 
| deb-src wheezy                  main contrib 

| deb wheezy                  main contrib 
| deb-src wheezy                  main contrib 
| deb      wheezy/updates          main contrib 
| deb-src      wheezy/updates          main contrib 

* Update the DISTs

# chdist apt-get wheezy-plain update
# chdist apt-get wheezy-security update

* Compare them

# chdist compare-bin-packages wheezy-plain wheezy-security |& grep tcpreplay

Background: The tcpreplay package was updated after the last wheezy
point release.

Expected output:

| tcpreplay 3.4.3-2+wheezy1 3.4.3-2+wheezy2

Actual output:

| W: Package tcpreplay is already listed for wheezy-security. Not overriding.
| tcpreplay 3.4.3-2+wheezy1 3.4.3-2+wheezy1


The additional warning message gives the right hint: If a binary
package is seen several times, only the first occurence is taken into
account. Even if any later has a higher version.

Suggested fix:

The patch attached implements the expected behaviour: If the second
occurence has a higher version number, that one is used. If the version
number is identical, also the warning is suppressed.

Additionally, the patch contains a safeguard in case there there is no
version number. Feel free to drop that.

The compare_src_bin function probably needs a fix, too. I could however
not trigger this.

Background: I maintain local backports and forks of several packages
in Debian. This needs a tool to notify about new versions in Debian
that require according work. I moved from an ugly hand-written solution
to something based on chdist and found regressions.

Justification: Besides this is unexpected behaviour and does not match
the output of apt-cache policy on both sides (after some parsing) ...
Assuming more people do track Debian in a similar way, they will face
the same problem: They might not learn about updates that are necessary
on their site, perhaps leading to something between functionality loss,
or a security issue not getting fixed.

Please also fix this in a stable point release: The patch applies to
jessie as well (with an offset).


-- Package-specific info:

--- /etc/devscripts.conf ---

--- ~/.devscripts ---
Not present

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.4.20 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

Versions of packages devscripts depends on:
ii  dpkg-dev     1.18.10
ii  libc6        2.23-5
ii  perl         5.22.2-5
pn  python3:any  <none>

Versions of packages devscripts recommends:
ii  apt                         1.3~rc4
pn  at                          <none>
ii  curl                        7.50.1-1
ii  dctrl-tools                 2.24-2
pn  debian-keyring              <none>
pn  dput | dupload              <none>
pn  equivs                      <none>
ii  fakeroot                    1.21-2
ii  file                        1:5.28-4
ii  gnupg                       1.4.20-6
ii  gnupg2                      2.1.11-7
ii  libdistro-info-perl         0.14
ii  libencode-locale-perl       1.05-1
ii  liblwp-protocol-https-perl  6.06-2
pn  libsoap-lite-perl           <none>
ii  liburi-perl                 1.71-1
ii  libwww-perl                 6.15-1
pn  licensecheck                <none>
ii  lintian                     2.5.47
ii  man-db                      2.7.5-1
ii  patch                       2.7.5-1
ii  patchutils                  0.3.4-1
ii  python3-debian              0.1.29
ii  python3-magic               1:5.28-4
ii  sensible-utils              0.0.9
ii  strace                      4.12-3
ii  unzip                       6.0-20
ii  wdiff                       1.2.2-1+b1
ii  wget                        1.18-2+b1
ii  xz-utils                    5.1.1alpha+20120614-2.1

Versions of packages devscripts suggests:
pn  bsd-mailx | mailx            <none>
ii  build-essential              12.2
pn  cvs-buildpackage             <none>
pn  devscripts-el                <none>
ii  diffoscope                   60
pn  dose-extra                   <none>
pn  gnuplot                      <none>
ii  gpgv                         1.4.20-6
pn  libauthen-sasl-perl          <none>
ii  libfile-desktopentry-perl    0.22-1
ii  libnet-smtp-ssl-perl         1.03-1
pn  libterm-size-perl            <none>
ii  libtimedate-perl             2.3000-2
pn  libyaml-syck-perl            <none>
ii  mozilla-devscripts           0.47
ii  mutt                         1.7.0-1
ii  openssh-client [ssh-client]  1:7.3p1-1
pn  reprotest                    <none>
pn  svn-buildpackage             <none>
ii  w3m                          0.5.3-29

-- no debconf information
--- /usr/bin/chdist
+++ /tmp/chdist
@@ -471,10 +471,17 @@
         my $parsed_file = parseFile($file);
         foreach my $package ( keys(%{$parsed_file}) ) {
            if ( $packages{$dist}{$package} ) {
-              warn "W: Package $package is already listed for $dist. Not 
-           } else {
-              $packages{$dist}{$package} = $parsed_file->{$package};
-           }
+             my $version = $packages{$dist}{$package}{'Version'};
+             my $alt_ver = $parsed_file->{$package}{'Version'};
+             my $delta = $version && $alt_ver && version_compare($version, 
+             if (defined ($delta) && $delta < 0) {
+               $packages{$dist}{$package} = $parsed_file->{$package};
+             } elsif (!defined ($delta) || $delta < 0) {
+               warn "W: Package $package is already listed for $dist. Not 
+             }
+            } else {
+               $packages{$dist}{$package} = $parsed_file->{$package};
+           }

Attachment: signature.asc
Description: Digital signature

Reply via email to