Hi, TL;DR: dpkg-statoverride detection cannot be automated, but there are only 5 affected packages.
On Wed, Jul 12, 2023 at 03:34:38PM +0200, Helmut Grohne wrote: > * DEP17-P5: dpkg-statoverrides not matching the files shipped. > Possibly, I can extend dumat to cover unconditional statoverrides. In retrospect, this feels like a lie. As usual, the story is more complex than it initially seems. A really big chunk of users just queries a path for a (local) override. We cannot capture these by looking how a chroot was modified during maintainer scripts. Another significant chunk is conditional statoverrides that depend on either debconf answers or failure to apply filesystem capabilities. Observing the intended outcome in these cases is next to impossible. Actually parsing shell scripts and extracting those calls is what I tried for diversions first, but that runs afoul variable interpolation and the halting problem before too long. So really, I don't see a good way to implement the promised detection without a high error rate. Then on the flip side, there's about 1500 maintainer scripts matching dpkg-statoverride found by binarycontrol.d.n. Since most have postinst and prerm and most are in all suites, that's about 250 packages. Of these, the vast majority only ever deals with canonical paths or paths unaffected by the /usr-merge. Checking all of these manually as a one-shot effort definitely sounds more plausible to me. To validate this claim (after having made a wrong one), I actually performed the analysis for unstable and found only five affected packages. I intend to move this forward by supplying the necessary patches. Changes needed: * fuse (queries only, can be duplicated now) * fuse3 (queries only, can be duplicated now) * ntfs-3g (queries only, can be duplicated now) * systemd-cron (needs to be updated when moving files) * yp-tools (needs to be updated when moving files) Nontrivially unaffected: * nfs-common (removes an aliased statoverride) Unaffected: * activemq * amavisd-new * apt-cacher-ng * asterisk * asterisk-config * autofs-ldap * ax25-apps * backuppc * balboa * biboumi * bird * bird2 * boinc-client * boxbackup-server * bucardo * ca-certificates * cado * ceph-base * ceph-common * ceph-mds * ceph-mgr * chrony * clamav-unofficial-sigs * cockpit-ws * corekeeper * coturn * courier-authdaemon * courier-authlib-ldap * courier-authlib-mysql * courier-authlib-postgresql * courier-base * courier-faxmail * courier-imap * courier-ldap * courier-mta * courier-pop * courier-webadmin * cron * cron-daemon-common * cubemap * cups * cups-daemon * cups-tea4cups * cups-x2go * cw * cyrus-common * davfs2 * davmail-server * dbus * deluged * dodgindiamond2 * dokuwiki * dovecot-core * durep * ejabberd * eviacam * exim4-base * exim4-config * fdutils * ferm * forked-daapd * fping * gammu-smsd * ganglia-monitor * ganglia-webfrontend * geki2 * geki3 * geoclue-2.0 * gerbera * glhack * gmetad * gnokii-cli * gnunet * graphite-api * graphite-carbon * graphite-web * gravitywars * groonga-httpd * groonga-server-common * gvmd * gweled * h2o * haserl * hplip * i2p * icinga2-common * icingadb * icingaweb2-common * ilisp * im * inadyn * incron * john * json2file-go * kea-common * kgb-bot * kismet * knot * libvirt-daemon-system * libx2go-server-db-perl * libzeroc-ice3.7 * lldpd * lmarbles * logdata-anomaly-miner * login-duo * lprng * lyskom-server * man-db * mandos * mandos-client * matrix-sydent * matrix-synapse * mgetty-fax * milter-greylist * minidlna * mlocate * mon * monsterz * mpd * mpd-sima * mpdscribble * muse * nagios4-cgi * nagios4-common * nagvis * nbsdgames * netdata-core * nethack-common * netselect * nginx-common * notus-scanner * nsca-ng-server * nsd * onak * open-infrastructure-compute-tools * opendkim * opendmarc * opendnssec-common * opensmtpd * openssh-client * opentracker * openvas-scanner * pacemaker-common * pawserv * pconsole * pdns-ixfrdist * phog * php-common * phpmyadmin * pkexec * plocate * pmount * polkitd * polkitd-pkla * postfix * powermanga * prayer * prometheus * prometheus-alertmanager * prometheus-apache-exporter * prometheus-bind-exporter * prometheus-blackbox-exporter * prometheus-haproxy-exporter * prometheus-ipmi-exporter * prometheus-mysqld-exporter * prometheus-node-exporter * prometheus-postfix-exporter * prometheus-postgres-exporter * prometheus-process-exporter * prometheus-pushgateway * prometheus-redis-exporter * prometheus-smokeping-prober * prosody * puppet-agent * puppetdb * puppetserver * pure-ftpd-common * pyracerz * qpsmtpd * radosgw * radvd * redis-sentinel * redis-server * redis-tools * roundcube-core * rtpengine-daemon * rtpengine-recording-daemon * samba-common * sasl2-bin * sendmail-bin * shibboleth-sp-utils * smstools * smtpprox-loopprevent * snort * softhsm2-common * sogo * spacearyarya * spamassassin * spampd * sqlgrey * squid * squid-openssl * sqwebmail * ssl-cert * stenographer * stenographer-common * switchsh * systemtap-runtime * tango-common * taskd * tecnoballz * telnetd-ssl * terminatorx * trafficserver * transmission-daemon * tryton-server * tryton-server-postgresql * tt-rss * tuxtype * tvtime * udevil * uml-utilities * varnish * vast * vde2 * veyon-service * victoria-metrics * vlock * vrfydmn * webdis * webfs * wims * wing * wireshark-common * x2gobroker-agent * x2gobroker-authservice * x2gobroker-daemon * x2gobroker-loadchecker * x2gobroker-ssh * x2gobroker-wsgi * x2goserver * x2goserver-printing * xastir * xcwcp * xinit * xorp * yadifa * yaws * zeroc-icegrid Helmut