Package: pkgconf-bin Version: 1.8.1-1 Severity: important Tags: patch User: helm...@debian.org Usertags: dep17p6 Control: affects -1 + multipath-tools
pkgconf-bin contains /usr/lib/pkgconfig as an empty directory. Such directories are at risk of deletion due to how we implemented the /usr-merge. Consider a minimal Debian bookworm installation where you install both pkgconf-bin and multipath-tools. That latter package happens to install /lib/pkgconfig/libdmmp.pc. If you now remove multipath-tools, dpkg will notice that it was the last owner of /lib/pkgconfig (not realising that it aliases /usr/lib/pkgconfig) and delete it. Then /usr/lib/pkgconfig will exist in dpkg's database but actually be missing in the filesystem. Since multipath-tools in trixie no longer ships a .pc file, the same issue happens if you upgrade from bookworm to trixie as that upgrade entails a removal of /lib/pkgconfig. Note that even though the file move moratorium is meant to prevent problems, this particular problem class is not prevented and the problem really exists in bookworm and trixie. I suggest that pkgconfig-bin gains a maintainer script that recreates the empty directory. In order to be run as multipath-tools is deleted, we can declare a dpkg trigger in that aliased location. I'm attaching a patch for your convenience. You can find more background on this at https://subdivi.de/~helmut/dep17.html. The problem at hand is called P6 and the proposed mitigation is M20. Other possible mitigations are: * Not having an empty directory. I suspect though that this directory exists with reason as an integration point. * M21: Install a placeholder file into the directory (making it non-empty). As dpkg tries to delete /lib/pkgconfig, it'll notice that it is non-empty and skip the deletion. * M9: Even though the diversion mechanism was not invented for directories, it can be thus used with hacks. pkgconf-bin could install a diversion of /lib/pkgconfig. When multipath-tools is removed or upgraded, dpkg may delete the diverted path instead of /usr/lib/pkgconfig. Helmut
diff --minimal -Nru pkgconf-1.8.1/debian/changelog pkgconf-1.8.1/debian/changelog --- pkgconf-1.8.1/debian/changelog 2023-01-22 12:06:42.000000000 +0100 +++ pkgconf-1.8.1/debian/changelog 2023-08-24 10:39:21.000000000 +0200 @@ -1,3 +1,10 @@ +pkgconf (1.8.1-1.1) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * Mitigate loss of /usr/lib/pkgconfig due to /usr-merge. (Closes: #-1) + + -- Helmut Grohne <hel...@subdivi.de> Thu, 24 Aug 2023 10:39:21 +0200 + pkgconf (1.8.1-1) unstable; urgency=high * New upstream release. diff --minimal -Nru pkgconf-1.8.1/debian/pkgconf-bin.postinst pkgconf-1.8.1/debian/pkgconf-bin.postinst --- pkgconf-1.8.1/debian/pkgconf-bin.postinst 1970-01-01 01:00:00.000000000 +0100 +++ pkgconf-1.8.1/debian/pkgconf-bin.postinst 2023-08-24 10:39:21.000000000 +0200 @@ -0,0 +1,12 @@ +#!/bin/sh + +set -e + +if test "$1" = configure -o "$1" = triggered && ! test -d "$DPKG_ROOT/usr/lib/pkgconfig"; then + # Mitigate DEP-17 P6. Delete this after trixie has been released as + # multipath-tools/bookworm was the last package to install to + # /lib/pkgconfig and stopped doing so in 0.9.4-4. + install -d -o root -g root -m 0755 "$DPKG_ROOT/usr/lib/pkgconfig" +fi + +#DEBHELPER# diff --minimal -Nru pkgconf-1.8.1/debian/pkgconf-bin.triggers pkgconf-1.8.1/debian/pkgconf-bin.triggers --- pkgconf-1.8.1/debian/pkgconf-bin.triggers 1970-01-01 01:00:00.000000000 +0100 +++ pkgconf-1.8.1/debian/pkgconf-bin.triggers 2023-08-24 10:39:21.000000000 +0200 @@ -0,0 +1,4 @@ +# Mitigate DEP-17 P6. Delete this after trixie has been released as +# multipath-tools/bookworm was the last package to install to /lib/pkgconfig +# and stopped doing so in 0.9.4-4. +interest-noawait /lib/pkgconfig
