On Wed, Nov 08, 2023 at 08:07:29PM +0100, Helmut Grohne wrote:
> I'm proposing the attached patch to implement DEP17 mitigation M18. I
> caution that the patch is untested, because piuparts failed for
> unrelated reasons. open-infrastructure-compute-tools.postinst and
> sudo.prerm fail inside piuparts. So consider this a starting point.
The original patch didn't work at all. molly-guard was using the same
approach and it failed on multiple accounts. After quite some back and
forth, molly-guard now has a patch that looks reasonably good and I've
ported the approach to bfh-container.
Notable:
* Diversion targets must differ in more than aliasing.
* Since bfh-container does not need access to the diverted files, we
can continue to move them to a different directory.
* To avoid the conflicts-is-not-conflicts problem, bfh-container must
support aliased as well as canonicalized versions and not declare
Breaks or Conflicts for diverted packages such as systemd-sysv.
Since systemd-sysv now Conflits with bfh-container testing the patch in
unstable is difficult. I've tested installing, removing and upgrading it
in bookworm though and that all works. Also the diversions look
reasonable to me.
When uploading this, please target experimental. Then we'll update
systemd-sysv to add a version to their breaks and further test the patch
before uploading to unstable.
Helmut
diff -Nru bfh-metapackages-20211009/debian/bfh-container.postrm
bfh-metapackages-20211009/debian/bfh-container.postrm
--- bfh-metapackages-20211009/debian/bfh-container.postrm 2023-08-14
09:07:46.000000000 +0200
+++ bfh-metapackages-20211009/debian/bfh-container.postrm 2023-12-19
14:08:37.000000000 +0100
@@ -6,12 +6,12 @@
remove)
for FILE in halt poweroff reboot shutdown coldreboot
do
- dpkg-divert --package bfh-container --quiet --remove
--rename --divert /lib/container/divert/${FILE}.orig /sbin/${FILE}
+ dpkg-divert --package bfh-container --quiet --remove
--rename --divert "/lib/container/divert/${FILE}.orig.usr-is-merged"
"/sbin/${FILE}"
done
- for FILE in pm-hibernate pm-suspend pm-suspend-hybrid
+ for FILE in halt poweroff reboot shutdown coldreboot
pm-hibernate pm-suspend pm-suspend-hybrid
do
- dpkg-divert --package bfh-container --quiet --remove
--rename --divert /lib/container/divert/${FILE}.orig /usr/sbin/${FILE}
+ dpkg-divert --package bfh-container --quiet --remove
--rename --divert "/usr/lib/container/divert/${FILE}.orig" "/usr/sbin/${FILE}"
done
;;
diff -Nru bfh-metapackages-20211009/debian/bfh-container.preinst
bfh-metapackages-20211009/debian/bfh-container.preinst
--- bfh-metapackages-20211009/debian/bfh-container.preinst 2023-08-14
09:07:46.000000000 +0200
+++ bfh-metapackages-20211009/debian/bfh-container.preinst 2023-12-19
14:12:04.000000000 +0100
@@ -8,12 +8,36 @@
for FILE in halt poweroff reboot shutdown coldreboot
do
- dpkg-divert --package bfh-container --quiet --add
--rename --divert /lib/container/divert/${FILE}.orig /sbin/${FILE}
+ TRUENAMEUSR=$(dpkg-divert --truename "/usr/sbin/$FILE")
+ TRUENAMEALIAS=$(dpkg-divert --truename "/sbin/$FILE")
+ RENAME_FLAG=--no-rename
+ if test "$TRUENAMEUSR" = "/usr/sbin/$FILE"; then
+ if test "$TRUENAMEALIAS" = "/sbin/$FILE"; then
+ RENAME_FLAG=--rename
+ fi
+ dpkg-divert --package bfh-container --quiet
--add "$RENAME_FLAG" --divert "/usr/lib/container/divert/$FILE.orig"
"/usr/sbin/$FILE"
+ fi
+ # DEP17 M18 duplicated diversion. Can be removed after
trixie.
+ if test "$TRUENAMEALIAS" = "/sbin/$FILE"; then
+ dpkg-divert --package bfh-container --quiet
--add "$RENAME_FLAG" --divert "/lib/container/divert/$FILE.orig.usr-is-merged"
"/sbin/$FILE"
+ elif test "$TRUENAMEALIAS" !=
"/lib/container/divert/$FILE.orig.usr-is-merged"; then
+ dpkg-divert --package bfh-container --quiet
--remove --no-rename "/sbin/$FILE"
+ dpkg-divert --package bfh-container --quiet
--add --no-rename --divert "/lib/container/divert/$FILE.orig.usr-is-merged"
"/sbin/$FILE"
+ if test -e "$TRUENAMEALIAS" || test -h
"$TRUENAMEALIAS"; then
+ mv "$TRUENAMEALIAS"
"/lib/container/divert/$FILE.orig.usr-is-merged"
+ fi
+ fi
done
for FILE in pm-hibernate pm-suspend pm-suspend-hybrid
do
- dpkg-divert --package bfh-container --quiet --add
--rename --divert /lib/container/divert/${FILE}.orig /usr/sbin/${FILE}
+ TRUENAMEUSR=$(dpkg-divert --truename "/usr/sbin/$FILE")
+ if test "$TRUENAMEUSR" =
"/lib/container/divert/$FILE.orig"; then
+ dpkg-divert --package bfh-container --quiet
--remove --no-rename "/usr/sbin/$FILE"
+ dpkg-divert --package bfh-container --quiet
--add --no-rename --divert "/usr/lib/container/divert/$FILE.orig"
"/usr/sbin/$FILE"
+ else
+ dpkg-divert --package bfh-container --quiet
--add --rename --divert "/usr/lib/container/divert/$FILE.orig" "/usr/sbin/$FILE"
+ fi
done
;;
diff -Nru bfh-metapackages-20211009/debian/changelog
bfh-metapackages-20211009/debian/changelog
--- bfh-metapackages-20211009/debian/changelog 2023-10-11 11:26:46.000000000
+0200
+++ bfh-metapackages-20211009/debian/changelog 2023-12-19 14:12:04.000000000
+0100
@@ -1,3 +1,10 @@
+bfh-metapackages (20211009-21.1) UNRELEASED; urgency=medium
+
+ * Non-maintainer upload.
+ * Duplicate diversion via DEP17 M18. (Closes: #1055509)
+
+ -- Helmut Grohne <[email protected]> Tue, 19 Dec 2023 14:12:04 +0100
+
bfh-metapackages (20211009-21) sid; urgency=medium
* Uploading to sid.
