Hi, On Sat, 12 Dec 2009 17:34:44 -0500 Sam Hartman <hartm...@debian.org> wrote:
> >>>>> "Harald" == Harald Braumann <ha...@unheit.net> writes: > > Harald> Hi, yes, very sad, indeed, especially if the host is only > Harald> reachable via ssh and that breaks. > > Agreed. This is not intended to reduce the severity of the problem, > but is advice you may find useful for reducing this sort of thing in > the future. I find that when I upgrade a machine it's worth > restarting the main sshd and then sshing into the machine while I > still have a root shell open just to test for this sort of thing. The problem is so severe because there is no indication at all that you're going to do something stupid. The only thing that happens is that a package is removed that no other packages depend on. This doesn't really ring any alarm bells. So I didn't employ any extra safe-guards. But it's a good advise. I should make it a habit to restart sshd in any case. > Harald> I had libkrb53 installed from lenny and libk5crypto3 from > Harald> sid. Something depended on it and it was set as an > Harald> automatic dependency. On upgrade, that dependency vanished > Harald> and so libk5crypto3 was removed automatically. Now > > If you could provide more detail here it would be useful. I'd like to > evaluate whether I made the right tradeoff here and in particular how > likely it is that someone would manage to get into a situation where > they have libk5crypto3 from squeeze without also having something from > squeeze that will keep it installed. > > Do you know how you got into a situation where you had libk5crypto3 > installed and then later no longer had it? I have jabberd2 2.2.1-1.1 installed from sid (the newest version would depend on libk5crypto3, but this version still depends on libkrb53). This also pulls in libudns0 from sid. Everything else is lenny. However, I can't really figure out why libk5crypto3 got installed in the first place. Here's an excerpt of the dpkg.log where libk5crypto3 was installed (full log appended as dpkg.log.7.gz): 2009-04-30 21:24:38 upgrade base-files 5 5lenny2 2009-04-30 21:24:40 upgrade libpam-modules 1.0.1-5 1.0.1-5+lenny1 2009-04-30 21:24:42 upgrade apt 0.7.20.2 0.7.20.2+lenny1 2009-04-30 21:24:45 upgrade libpam-runtime 1.0.1-5 1.0.1-5+lenny1 2009-04-30 21:24:47 upgrade libpam0g 1.0.1-5 1.0.1-5+lenny1 2009-04-30 21:24:48 upgrade apt-utils 0.7.20.2 0.7.20.2+lenny1 2009-04-30 21:24:49 upgrade libssl0.9.8 0.9.8g-15 0.9.8g-15+lenny1 2009-04-30 21:24:49 upgrade bind9 1:9.5.1.dfsg.P1-1 1:9.5.1.dfsg.P1-2 2009-04-30 21:24:49 upgrade bind9-host 1:9.5.1.dfsg.P1-1 1:9.5.1.dfsg.P1-2 2009-04-30 21:24:50 upgrade dnsutils 1:9.5.1.dfsg.P1-1 1:9.5.1.dfsg.P1-2 2009-04-30 21:24:50 upgrade libbind9-40 1:9.5.1.dfsg.P1-1 1:9.5.1.dfsg.P1-2 2009-04-30 21:24:50 upgrade libisccfg40 1:9.5.1.dfsg.P1-1 1:9.5.1.dfsg.P1-2 2009-04-30 21:24:50 upgrade libisccc40 1:9.5.1.dfsg.P1-1 1:9.5.1.dfsg.P1-2 2009-04-30 21:24:50 upgrade libdns45 1:9.5.1.dfsg.P1-1 1:9.5.1.dfsg.P1-2 2009-04-30 21:24:50 upgrade libisc45 1:9.5.1.dfsg.P1-1 1:9.5.1.dfsg.P1-2 2009-04-30 21:24:50 upgrade libkrb53 1.6.dfsg.4~beta1-5 1.6.dfsg.4~beta1-5lenny1 2009-04-30 21:24:50 upgrade liblwres40 1:9.5.1.dfsg.P1-1 1:9.5.1.dfsg.P1-2 2009-04-30 21:24:51 upgrade bind9utils 1:9.5.1.dfsg.P1-1 1:9.5.1.dfsg.P1-2 2009-04-30 21:24:51 install libkrb5support0 <none> 1.6.dfsg.4~beta1-13 2009-04-30 21:24:51 install libk5crypto3 <none> 1.6.dfsg.4~beta1-13 2009-04-30 21:24:51 install libdb4.7 <none> 4.7.25-6 2009-04-30 21:24:51 upgrade mysql-common 5.0.51a-24 5.0.51a-24+lenny1 2009-04-30 21:24:51 upgrade libmysqlclient15off 5.0.51a-24 5.0.51a-24+lenny1 2009-04-30 21:24:51 upgrade libpq5 8.3.6-1 8.3.7-0lenny1 2009-04-30 21:24:52 upgrade openssl 0.9.8g-15 0.9.8g-15+lenny1 I can only see security upgrades for lenny, so I'm not sure why lik5crypto3 got installed. Here's an excerpt of the dpkg.log where lib5crypto3 got removed (full log appended as dpkg.log.gz): 2009-12-11 23:44:54 remove libdb4.7 4.7.25-8 4.7.25-8 2009-12-11 23:44:54 remove libk5crypto3 1.7dfsg~beta3-1 1.7dfsg~beta3-1 2009-12-11 23:44:55 remove libkrb5support0 1.7dfsg~beta3-1 1.7dfsg~beta3-1 2009-12-11 23:44:55 upgrade libgnutls26 2.4.2-6+lenny1 2.4.2-6+lenny2 2009-12-11 23:44:57 upgrade ldap-utils 2.4.11-1 2.4.11-1+lenny1 2009-12-11 23:44:58 upgrade slapd 2.4.11-1 2.4.11-1+lenny1 2009-12-11 23:45:01 upgrade libldap-2.4-2 2.4.11-1 2.4.11-1+lenny1 Again, I can only see security upgrades for lenny, so again I'm not sure why that changed anything in regard to libk5crypto3. Package removals where done by aptitude because those packages where automatic dependencies and nothing depended on them any more. It is possible that I installed libk5crypto3 manually, and then later set it to an automatic dependency without removing it immediately. > Harald> I know it's my own fault if I shoot myself in the foot, > Harald> but would you please not hand me a loaded gun with the > Harald> safety released and a broken trigger that can go off any > Harald> time? > > > So, I've explained my reasoning. I'm happy to change things if > 1) We can find a fix that fixes this problem and allows people to keep > libkrb53 installed Sorry to not be of any real help here. > or 2) I discover that my assumptions about how likely this failure is > were off. As I said I realize I'm making a tradeoff here; my > assumption is that especially in a lenny->squeeze upgrade it's going > to be fairly difficult to end up depending on libk5crypto3 without > also getting the rest of the packages. So, information on what > people are doing that creates this situation would be greatly > appreciated. I can't fully reconstruct the events that led to this situation and I don't know if it's likely that someone else gets there. But it obviously is possible. The implications are catastrophic (i.e. completely broken system) without giving you any hint that something bad might happen. In my opinion this is not acceptable no matter how unlikely the case might be. The package management system should prevent you from doing such things unintentionally. As a first step I would suggest to make it clearer in NEWS.Debian what the problem is. Currently it only talks about downgrading. It should also state explicitly that it is not a good idea to remove the package if there are still packages depending on libkrb53. But this is not really a solution because it's impossible to know about all the details of all the packages. I probably have read the NEWS when the package was installed, but there was no way I remembered about that when it got uninstalled 8 months later. Cheers, harry
dpkg.log.7.gz
Description: GNU Zip compressed data
dpkg.log.gz
Description: GNU Zip compressed data
signature.asc
Description: PGP signature