Source: fuse3
Version: 3.14.0-9
Severity: serious
Justification: dpkg unpack error
Tags: patch
User: helm...@debian.org
Usertags: dep17p3
Control: affects -1 + fuse
Hi Laszlo,
dumat now reports an ineffective diversion for /usr/bin/fusermount and
/usr/sbin/mount.fuse. In the end, this partially is a corner case in the
analysis an partially a loop hole in the fuse3 package metadata. Let me
explain.
In bookworm, fuse3 used to Breaks + Replaces fuse. The sid package no
longer Replaces: fuse. I think this is wrong, because bookworm's fuse
and sid's fuse3 both contain /etc/fuse.conf and
/usr/share/initramfs-tools/hooks/fuse. Once spotting the problem, it
isn't actually difficult to produce a practical failure:
mmdebstrap bookworm /dev/null http://deb.debian.org/debian --variant=apt
--include=fuse --customize-hook='sed -i -e s/bookworm/sid/
"$1/etc/apt/sources.list"' --chrooted-customize-hook="apt update && apt-get
download fuse3 && dpkg --auto-deconfigure --unpack fuse3_*.deb"
| dpkg: considering deconfiguration of fuse, which would be broken by
installation of fuse3 ...
| dpkg: yes, will deconfigure fuse (broken by fuse3)
| (Reading database ... 6744 files and directories currently installed.)
| Preparing to unpack fuse3_3.14.0-9_amd64.deb ...
| De-configuring fuse (2.9.9-6+b1), to allow installation of fuse3 (3.14.0-9)
...
| Adding 'diversion of /bin/fusermount to /bin/fusermount.usr-is-merged by
fuse3'
| Adding 'diversion of /sbin/mount.fuse to /sbin/mount.fuse.usr-is-merged by
fuse3'
| Unpacking fuse3 (3.14.0-9) ...
| dpkg: error processing archive fuse3_3.14.0-9_amd64.deb (--unpack):
| trying to overwrite '/etc/fuse.conf', which is also in package fuse
2.9.9-6+b1
| Errors were encountered while processing:
| fuse3_3.14.0-9_amd64.deb
So at a bare minimum, fuse3 must declare Replaces for fuse.
However, we are also dealing with this /usr-move mess. Neither Breaks
nor Replaces prevents fuse from being unpacked while fuse3 is unpacked.
If doing so, dpkg would not notice that wring to /bin/fusermount
clobbers /usr/bin/fusermount. Since we remove the diversions in
postinst, they don't actually prevent such an overwrite. For these
reasons, I think that we should upgrade from Replaces to Conflicts and
thus prevent such a concurrent unpack as is done in a number of other
/usr-move mitigations. Doing so also happens to silence dumat.
And with this long detour goes the one-line patch.
Helmut
diff --minimal -Nru fuse3-3.14.0/debian/changelog fuse3-3.14.0/debian/changelog
--- fuse3-3.14.0/debian/changelog 2024-09-15 08:00:33.000000000 +0200
+++ fuse3-3.14.0/debian/changelog 2024-09-20 11:55:04.000000000 +0200
@@ -1,3 +1,11 @@
+fuse3 (3.14.0-9.1) UNRELEASED; urgency=medium
+
+ * Non-maintainer upload.
+ * Upgrade Breaks for fuse to Conflicts to prevent accidental file loss.
+ (DEP17, closes: #-1)
+
+ -- Helmut Grohne <hel...@subdivi.de> Fri, 20 Sep 2024 11:55:04 +0200
+
fuse3 (3.14.0-9) unstable; urgency=medium
* Fix FTBFS due to the fuse transitional package.
diff --minimal -Nru fuse3-3.14.0/debian/control fuse3-3.14.0/debian/control
--- fuse3-3.14.0/debian/control 2024-09-13 19:31:58.000000000 +0200
+++ fuse3-3.14.0/debian/control 2024-09-20 11:54:19.000000000 +0200
@@ -24,7 +24,7 @@
mount (>= 2.19.1),
sed (>= 4)
Provides: fuse (= ${source:Version})
-Breaks: fuse (<< ${source:Version})
+Conflicts: fuse (<< ${source:Version})
Description: Filesystem in Userspace (3.x version)
Filesystem in Userspace (FUSE) is a simple interface for userspace programs to
export a virtual filesystem to the Linux kernel. It also aims to provide a
