Package: usrmerge Version: 31 Severity: critical Justification: breaks the whole system X-Debbugs-Cc: z...@owlfolio.org
convert-usrmerge is nominally idempotent and restartable, but (as it says in the script’s own documentation) if “the system crashes at a really bad time” during the conversion process it might not be possible to recover without manual intervention. Unfortunately, it’s worse than that: if the system crashes at _just_ the wrong time (specifically, in the middle of a convert_directory operation, in between the rename() and symlink() calls) it appears to be possible for the next boot to find the root filesystem in a state where /lib or /bin doesn’t exist at all. Recovery from this state will require booting from installation media. Since the current plan for the usrmerge transition is to run convert-usrmerge from usrmerge’s postinst, during (for most installations where a conversion is required) a bullseye->bookworm upgrade, which system administrators may choose to do *without* dropping to single user mode, a crash at exactly that point is plausible due to interactions with other concurrent processes. Imagine that a watchdog process picks exactly the moment where /bin is being replaced to check whether it can exec /bin/true, or (perhaps more plausible) a server picks exactly the moment where /lib is being replaced to try to load an NSS module, fails, crashes, and then a watchdog notices the server crash and triggers a reboot. To fix this, I think some technique for replacing directories with symlinks _atomically_ needs to be found. -- System Information: Debian Release: bookworm/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable') merged-usr: no Architecture: amd64 (x86_64) Kernel: Linux 5.19.0-1-amd64 (SMP w/32 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages usrmerge depends on: ii libfile-find-rule-perl 0.34-2 ii perl 5.34.0-5 usrmerge recommends no packages. usrmerge suggests no packages.
