Sorry for posting from phone. I hope it's not too unreadable. I'm a bit ill
from travel.

Sebastian Ramacher <[email protected]> schrieb am So., 7. Mai 2023,
10:50:

> Source: apt
> Version: 2.5.4
> Severity: serious
>
> On 2023-05-04 11:17:50 +0200, Helmut Grohne wrote:
> > Hi release team,
> >
> > Andreas Beckmann does wonderful QA work and recently figured that some
> > packages use deluser during purge (e.g. #1035494 and #1035495). deluser
> > is shipped with adduser and adduser used to be practically essential,
> > becaue apt used to depend on it, but that dependency was removed on my
> > request. Now apt never was essential to begin with, but having a Debian
> > installation without apt is a relatively rare thing. So while this was
> > theoretically buggy at all times, it is now practically observable.
>
> The current list of relevant bug reports is:
>
> #1034758        x2goserver-common       x2goserver-common: fails to purge
> - command (deluser|delgroup) in postrm not found
> #1035291        desktop-autoloader      desktop-autoloader: fails to purge
> - command (deluser|adduser) in postrm not found      2023-04-30
> #1035292        debian-edu-fai  debian-edu-fai: fails to purge - command
> (deluser|adduser) in postrm not found  2023-04-30
> #1035435        webdis  webdis: fails to purge - command (deluser|adduser)
> in postrm not found
>
> Those bugs might be fixable, but is this list complete?
>
> And then there's that:
>
> > Even if we fix these bugs in the packages, people may still upgrade
> > their systems and remove them rather than upgrading. Then, once the
> > upgrade is finished (and adduser is removed), they may consider purging
> > them and boom things go bad without any way of us fixing those packages.
> >
> > So fixing these bugs (and probably not removing users in purge) is the
> > way to go, but this also raises the question of whether we want to limit
> > the possible damage in trixie by making adduser temporarily essential
> > for trixie. What do you think?
>
> I suppose you meant s/trixie/bookworm/. We are very late in the release
> cycle, so dear apt maintainers, please re-instante the dependency on
> adduser for bookworm. Once bookworm is released, removing adduser from
> the pseudo-essential set can be revisited.
>

I don't have a problem pushing a 2.6.1 out with this in the coming days. Is
this the best solution though - maybe setting Essential on adduser might be
easier and formally fix the issue for now.



> With such a change I would have expected upgrade/piuparts tests from
> bullseye to bookworm that tried to remove adduser a various stages and
> check for the fallout. Given that Andreas is only doing them now, that's
> too late for changes to the pseudo-essential set.
>

We generally do not expect stuff to depend on apt. This seems to be a gap
in piuparts, that it has apt installed while testing packages.


> Cheers
>
> > Of course, I really like small essential and want it gone, but we need
> > to balance that with possible breakage.
> >
> > I think this primarily is a decision that belongs to the release
> > managers with the default choice being "do nothing about it".
> >
> > Helmut
> >
>
> --
> Sebastian Ramacher
>
>

Reply via email to