[Reproducible-builds] Bug#764721: dpkg-dev: dpkg-shlibdeps does not output the minimum dependency when a package does not use any symbols

[Jérémy Bobbio]

Package: dpkg-dev
Version: 1.17.16
Severity: minor
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: toolchain randomness

Hi!

As part of the “reproducible builds” effort [1], I came to investigate a
couple of failures related to dpkg-shlibdeps.

An example is visible in the output of debbindiff for gemanx-gtk2:
https://jenkins.debian.net//userContent/dbd/gemanx-gtk2_0.1.0.3-2.debbindiff.html

In the Depends field of the control file of libgemanx-core0, one build
has `libglib2.0-0 (>= 2.12.0)` while the other has
`libglib2.0-0 (>= 2.16.0)`.

dpkg-shlibdeps outputs a warning, as it is actually a useless
dependency. So the issue is probably a minor one. Here's my analysis and
possible solution:

The minimal version numbers differ from one run to another because when
the .symbols file is loaded, the order of the entries in the `libfiles`
hash are random. Only the minimal required version for the first
encountered shared library of a package will be currently used.

libglib2.0-0 exhibits the problem because libgio-2.0.so.0 has a minimal
required version of 2.16.0, while all other shared libraries contained
in the same package have a minimal required version of 2.12.0.

The attached patch uses `update_dependency_version` in order to raise
the initial minimum required version for each shared libraries provided
by the same package.

 [1]: https://wiki.debian.org/ReproducibleBuilds

-- 
Lunar                                .''`. 
lu...@debian.org                    : :Ⓐ  :  # apt-get install anarchism
                                    `. `'` 
                                      `-   

diff --git a/scripts/dpkg-shlibdeps.pl b/scripts/dpkg-shlibdeps.pl
index bda1e09..6caa6d8 100755
--- a/scripts/dpkg-shlibdeps.pl
+++ b/scripts/dpkg-shlibdeps.pl
@@ -255,13 +255,9 @@ foreach my $file (keys %exec) {
                 # package and we really need it)
 		my $dep = $symfile->get_dependency($soname);
 		my $minver = $symfile->get_smallest_version($soname) || '';
-		foreach my $subdep (split /\s*,\s*/, $dep) {
-		    if (not exists $dependencies{$cur_field}{$subdep}) {
-			$dependencies{$cur_field}{$subdep} = Dpkg::Version->new($minver);
-                        print " Initialize dependency ($subdep) with minimal " .
-                              "version ($minver)\n" if $debug > 1;
-		    }
-		}
+		update_dependency_version($dep, $minver);
+		print " Initialize dependencies ($dep) with minimal " .
+		      "version ($minver)\n" if $debug > 1;
 	    } else {
 		# No symbol file found, fall back to standard shlibs
                 print "Using shlibs+objdump for $soname (file $lib)\n" if $debug;

signature.asc
Description: Digital signature

_______________________________________________
Reproducible-builds mailing list
Reproducible-builds@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds