On Thu, Apr 06, 2006 at 05:52:34PM +1000, Steve Kowalik wrote:
> On Tue, 4 Apr 2006 17:40:41 +0200, Marc Haber uttered
> > Since a package cannot be forced to depend on all indirect
> > dependencies, I'd vouch for removing this check. exim4 is also plagued
> > by this, and will have a override added.
> > 
> But indirect dependancies are not checked. What we look for is the
> libraries that the binaries themselves link to, using objdump. objdump
> only lists libraries the binary itself requires through it's NEEDED
> section. What is probably happening here is that the SONAME of the
> library doesn't match the package name enough that Linda knows that it
> is depended upon.

I'm hit by the same bug on wmcpuload 1.0.1-3 (currently available on
http://greek0.net/debian/packages/wmcpuload/5/).

Here is the data:
  [EMAIL PROTECTED]:~/work/pkg$ grep Depends DEBIAN/control 
  Depends: libc6 (>= 2.3.6-6), libx11-6, libxext6, libxpm4
  [EMAIL PROTECTED]:~/work/pkg$ objdump -p usr/bin/wmcpuload | grep NEEDED
    NEEDED      libX11.so.6
    NEEDED      libXext.so.6
    NEEDED      libXpm.so.4
    NEEDED      libc.so.6

The relevant piece of code is BinaryCheck.links_shlibs() in
checks/binary.py.

You iterate over all the sonames found in the ELF files, and
try to find a dependency for each soname via (line 146):
    for dep in dependencies:
      if dep.startswith(libs[lib]):
        found = 1

The problem is that this falls apart as soon as the soname is
different from the library name. This hit you with libpam_misc.

In the case of wmcpuload the test fails too (notice capitalisation):
    'libxext6'.startswith('libXext')

IMHO you have several choices:
 * Remove the test altogether
 * Continue to patch it together as you currently do (libz, libpam,
   libc, ...
 * Start to use shlibs

The shlibs thing certainly sounds nice, but on a closer look it
seems nasty too. If you use /var/lib/dpkg/info/*.shlibs the result
of linda depends on the libraries currently installed on the system,
which probably sucks. If you use your own list you have to keep that
up to date which sucks too.

Adding all the exceptions to the code could work, but IMHO it would
suck if there were too many of them. This could be found out
however..

Removing the test might actually be ok too, since it doesn't add
much security. dpkg-shlibdeps/dh_shlibdeps exists, so missing deps
shouldn't occur too often. What would be really helpful is a warning
if you built against a too old version of a library, but the current
test doesn't protect against that anyway.

HTH,
Christian Aichinger

Attachment: signature.asc
Description: Digital signature

Reply via email to