Package: devscripts
Version: 2.16.7
Severity: important
Dear Maintainer,
using "chdist compare-bin-packages" I was quite surprised to learn not
always the newest version of the respective DIST is taken into account.
How to repeat:
* Create two DISTs, for the sake of this example called "wheezy-plain"
and "wheezy-security"
# chdist create wheezy-plain
# chdist create wheezy-security
* Populate the respective sources.list as follows
wheezy-plain:
| deb http://ftp.de.debian.org/debian wheezy main contrib
non-free
| deb-src http://ftp.de.debian.org/debian wheezy main contrib
non-free
wheezy-security:
| deb http://ftp.de.debian.org/debian wheezy main contrib
non-free
| deb-src http://ftp.de.debian.org/debian wheezy main contrib
non-free
| deb http://security.debian.org wheezy/updates main contrib
non-free
| deb-src http://security.debian.org wheezy/updates main contrib
non-free
* Update the DISTs
# chdist apt-get wheezy-plain update
# chdist apt-get wheezy-security update
* Compare them
# chdist compare-bin-packages wheezy-plain wheezy-security |& grep tcpreplay
Background: The tcpreplay package was updated after the last wheezy
point release.
Expected output:
| tcpreplay 3.4.3-2+wheezy1 3.4.3-2+wheezy2
^
Actual output:
| W: Package tcpreplay is already listed for wheezy-security. Not overriding.
| tcpreplay 3.4.3-2+wheezy1 3.4.3-2+wheezy1
^
Analysis:
The additional warning message gives the right hint: If a binary
package is seen several times, only the first occurence is taken into
account. Even if any later has a higher version.
Suggested fix:
The patch attached implements the expected behaviour: If the second
occurence has a higher version number, that one is used. If the version
number is identical, also the warning is suppressed.
Additionally, the patch contains a safeguard in case there there is no
version number. Feel free to drop that.
The compare_src_bin function probably needs a fix, too. I could however
not trigger this.
Background: I maintain local backports and forks of several packages
in Debian. This needs a tool to notify about new versions in Debian
that require according work. I moved from an ugly hand-written solution
to something based on chdist and found regressions.
Justification: Besides this is unexpected behaviour and does not match
the output of apt-cache policy on both sides (after some parsing) ...
Assuming more people do track Debian in a similar way, they will face
the same problem: They might not learn about updates that are necessary
on their site, perhaps leading to something between functionality loss,
or a security issue not getting fixed.
Please also fix this in a stable point release: The patch applies to
jessie as well (with an offset).
Christoph
-- Package-specific info:
--- /etc/devscripts.conf ---
--- ~/.devscripts ---
Not present
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.4.20 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
Versions of packages devscripts depends on:
ii dpkg-dev 1.18.10
ii libc62.23-5
ii perl 5.22.2-5
pn python3:any
Versions of packages devscripts recommends:
ii apt 1.3~rc4
pn at
ii curl7.50.1-1
ii dctrl-tools 2.24-2
pn debian-keyring
pn dput | dupload
pn equivs
ii fakeroot1.21-2
ii file1:5.28-4
ii gnupg 1.4.20-6
ii gnupg2 2.1.11-7
ii libdistro-info-perl 0.14
ii libencode-locale-perl 1.05-1
ii liblwp-protocol-https-perl 6.06-2
pn libsoap-lite-perl
ii liburi-perl 1.71-1
ii libwww-perl 6.15-1
pn licensecheck
ii lintian 2.5.47
ii man-db 2.7.5-1
ii patch 2.7.5-1
ii patchutils 0.3.4-1
ii python3-debian 0.1.29
ii python3-magic 1:5.28-4
ii sensible-utils 0.0.9
ii strace 4.12-3
ii unzip 6.0-20
ii wdiff 1.2.2-1+b1
ii wget1.18-2+b1
ii xz-utils5.1.1alpha+20120614-2.1
Versions of packages devscripts suggests:
pn bsd-mailx | mailx
ii build-essential 12.2
pn cvs-buildpackage
pn devscripts-el
ii diffoscope 60
pn dose-extra
pn gnuplot
ii gpgv
