Thorsten, Helmut, On Mon, Jul 15, 2024 at 01:09:09PM +0200, Helmut Grohne wrote: > Package: libplayeronecamera2t64 > Version: 3.1.0+20221218103507-2 > Severity: serious [..] > thank you for applying our /usr-move patches. Unfortunately, this one > went wrong and it went to unstable rather than experimental.
I'm very sorry this one slipped through. I should have rechecked this patch after the t64 migration mostly settled. The following upgrade scenario demonstrates the loss. It may be possible to construct a simpler scenario. (This needs mmdebstrap 1.5.1-4 or better.) mmdebstrap \ --components="main non-free" \ --include=libplayeronecamera2 \ --hook-dir=/usr/share/mmdebstrap/hooks/no-merged-usr \ --chrooted-customize-hook='rm /etc/unsupported-skip-usrmerge-conversion' \ --chrooted-customize-hook='apt update' \ --chrooted-customize-hook='apt install --reinstall -y usrmerge' \ --chrooted-customize-hook='ls -l /' \ --chrooted-customize-hook='dpkg -L libplayeronecamera2' \ --chrooted-customize-hook='sed -i -e s/bookworm/unstable/ -e /unstable-/d /etc/apt/sources.list' \ --chrooted-customize-hook='apt update' \ --chrooted-customize-hook='apt upgrade -y libc6 systemd' \ --chrooted-customize-hook='cd /tmp && apt download libplayeronecamera2t64' \ --chrooted-customize-hook='cd /tmp && dpkg --auto-deconfigure --unpack *.deb' \ --chrooted-customize-hook='dpkg -l libplayerone*' \ --chrooted-customize-hook='ls -la /lib/udev/rules.d/99-player_one_astronomy.rules' \ --chrooted-customize-hook='apt install -f -y' \ --chrooted-customize-hook='dpkg -l libplayerone*' \ --chrooted-customize-hook='ls -la /lib/udev/rules.d/99-player_one_astronomy.rules' \ bookworm /dev/null > If you feel that a stronger mitigation is necessary, I can supply a > patch adding protective diversions (via maintainer scripts). > > Please let me know your preference. Roughly speaking your options now > are: > * rename the rules file (closing both bugs) > * move the rules file to a -common package (closing the -2 bug) > * upgrade Replaces to Conflicts (closing the -1 bug) > * request diversion-based mitigation (closing the -1 bug) I'll attach a patch implementing the last option. As you can see this is far from beautiful. I'd suggest applying the patch _and_ switching Replaces to Conflicts to be extra safe. Testing the new version could be done with the same script as above, but replacing this line: - --chrooted-customize-hook='cd /tmp && apt download libplayeronecamera2t64' \ + --customize-hook='upload '$(pwd)'/libplayeronecamera2t64_3.1.0+20221218103507-2.1_arm64.deb /tmp/new.deb' \ Once again, I'm sorry this slipped through. Chris
diff -Nru libplayerone-3.1.0+20221218103507/debian/changelog libplayerone-3.1.0+20221218103507/debian/changelog --- libplayerone-3.1.0+20221218103507/debian/changelog 2024-07-13 12:36:28.000000000 +0200 +++ libplayerone-3.1.0+20221218103507/debian/changelog 2024-07-15 18:53:25.000000000 +0200 @@ -1,3 +1,10 @@ +libplayerone (3.1.0+20221218103507-2.1) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * Add DEP17 P1 mitigations. (Closes: #1076374) + + -- Chris Hofstaedtler <z...@debian.org> Mon, 15 Jul 2024 18:53:25 +0200 + libplayerone (3.1.0+20221218103507-2) unstable; urgency=medium * upload to unstable diff -Nru libplayerone-3.1.0+20221218103507/debian/libplayeronecamera2t64.lintian-overrides libplayerone-3.1.0+20221218103507/debian/libplayeronecamera2t64.lintian-overrides --- libplayerone-3.1.0+20221218103507/debian/libplayeronecamera2t64.lintian-overrides 2024-07-13 12:36:28.000000000 +0200 +++ libplayerone-3.1.0+20221218103507/debian/libplayeronecamera2t64.lintian-overrides 2024-07-15 18:53:25.000000000 +0200 @@ -1,3 +1,7 @@ # that is the way upstream delivers stuff hardening-no-bindnow libplayeronecamera2t64: package-name-doesnt-match-sonames libPlayerOneCamera3 +# begin-remove-after: released:trixie +# DEP17P7 mitigation +diversion-for-unknown-file lib/udev/rules.d/99-player_one_astronomy.rules [*] +# end-remove-after diff -Nru libplayerone-3.1.0+20221218103507/debian/libplayeronecamera2t64.postinst libplayerone-3.1.0+20221218103507/debian/libplayeronecamera2t64.postinst --- libplayerone-3.1.0+20221218103507/debian/libplayeronecamera2t64.postinst 1970-01-01 01:00:00.000000000 +0100 +++ libplayerone-3.1.0+20221218103507/debian/libplayeronecamera2t64.postinst 2024-07-15 18:53:25.000000000 +0200 @@ -0,0 +1,9 @@ +#!/bin/sh + +# begin-remove-after: released:trixie +if test "$1" = configure; then + dpkg-divert --no-rename --package libplayeronecamera2t64 --divert /lib/udev/rules.d/99-player_one_astronomy.rules.usr-is-merged --remove /lib/udev/rules.d/99-player_one_astronomy.rules +fi +# end-remove-after + +#DEBHELPER# diff -Nru libplayerone-3.1.0+20221218103507/debian/libplayeronecamera2t64.preinst libplayerone-3.1.0+20221218103507/debian/libplayeronecamera2t64.preinst --- libplayerone-3.1.0+20221218103507/debian/libplayeronecamera2t64.preinst 1970-01-01 01:00:00.000000000 +0100 +++ libplayerone-3.1.0+20221218103507/debian/libplayeronecamera2t64.preinst 2024-07-15 18:53:25.000000000 +0200 @@ -0,0 +1,11 @@ +#!/bin/sh + +set -e + +# begin-remove-after: released:trixie +if test "$1" = upgrade || test "$1" = install; then + dpkg-divert --no-rename --package libplayeronecamera2t64 --divert /lib/udev/rules.d/99-player_one_astronomy.rules.usr-is-merged --add /lib/udev/rules.d/99-player_one_astronomy.rules +fi +# end-remove-after + +#DEBHELPER#
