Control: tags -1 -pending
Control: close -1

On Wed, 31 Jan 2024 21:02:50 +0000 Steve Langasek <vorlon@debian.org>
wrote:

Source: libcomps
Version: 0.1.19-2.1
Severity: serious
Tags: patch pending
Justification: library ABI skew on upgrade
User: debian-arm@lists.debian.org
Usertags: time-t

Dear maintainer,

As part of the 64-bit time_t transition required to support 32-bit architectures in 2038 and beyond (https://wiki.debian.org/ReleaseGoals/64bit-time), we have identified libcomps as a source package shipping runtime libraries whose ABI
either is affected by the change in size of time_t, or could not be
analyzed via abi-compliance-checker (and therefore to be on the safe
side we assume is affected).

To ensure that inconsistent combinations of libraries with their reverse-dependencies are never installed together, it is necessary to
have a library transition, which is most easily done by renaming the
runtime library package.

Since turning on 64-bit time_t is being handled centrally through a

change

to the default dpkg-buildflags (https://bugs.debian.org/1037136), it

is

important that libraries affected by this ABI change all be uploaded

close

together in time.  Therefore I have prepared a 0-day NMU for libcomps
which will initially be uploaded to experimental if possible, then to unstable after packages have cleared binary NEW.

Please find the patch for this NMU attached.

If you have any concerns about this patch, please reach out ASAP. 

Although

this package will be uploaded to experimental immediately, there will

be a

period of several days before we begin uploads to unstable; so if

information

becomes available that your package should not be included in the

transition,

there is time for us to amend the planned uploads.

There are no mentions of 'time_t' in the public headers of this
library. The logs shows that it's a false positive, as the automated
tool simply wasn't able to build it:

https://adrien.dcln.fr/misc/armhf-time_t/2024-02-06T16%3A48%3A00/logs/libcomps-dev/base/log.txt

Closing as not applicable.

--
Kind regards,
Luca Boccassi

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEErCSqx93EIPGOymuRKGv37813JB4FAmXDru0ACgkQKGv37813 JB4g3A/6Ai4ac7VQZCRxrCUCFVVGw5Xrj4Nh5GieCbekbjurLMgCa23anqhha9X2 YqgTVrZZ8l9LtqkAcUqH0LHPjdzKPMUXLgSgUU1nsCxsYYBNMxD8nJRX10T5qYKm 1ZKwEFZozKVVuLgpz6htcBRXr9q7+D8cQ3mCnEN4X67te537hHQnr2kmv0nXxtFx eWX5O7m7fW/lKTa1IfeHeidRBkHg9KxGEv7RnmlQea1Mte3A/HtOkQQ3hhkoA+Hy cSF+s6Qqbl9qXfRtwGZ7aVfXifCeVB+PI95AGjuNwAlMhAFhNmx0vWMl6KJxWK09 cY9emEFV02JpKMrjZwMkBokRefrbH2b9MUI7DHShLBnMOPeNabHZ+vMPZ2Bc/wn/ 5rxBAktiv7rrGYkW9ULzDtZYd31fh2UGGYojaf+42RxeDWGDBzlpOlwktAlOA1wy kU40LaY8bTeKkO+KEAyPVHleKWLe1IqrXaGGD0qXAygouwyn4U6WCTJhkTfjBv8m QJvWy+ZFqIf8/AUeB7Nyb/4tF8ZZj3rjfh9oSJweCcNMhfQOpJjdOTNNKXK2f/dT IvoxXKAfTB1kM3PDsWJELUcJa9oNhWYB0K1lRe/nl9tKCxN9PxCL8sxFqb5wkBoL 3OTYKF3LW+26OhxQIArksPAlNafnLc962uDKcfooXb5cwlQa3tY=
=9RqC
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Feb 07, 2024 at 04:25:17PM +0000, Luca Boccassi wrote:

Control: tags -1 -pending
Control: close -1

[...]

There are no mentions of 'time_t' in the public headers of this
library. The logs shows that it's a false positive, as the automated
tool simply wasn't able to build it:

[...]

Closing as not applicable.

thanks for closing this bug and thanks for the t64 transition in the first place!
that said, someone needs to request the removal of src:libcomps from experimental
now, and if this would only affect src:libcomps I would probably do that myself,
but knowing there are several many cases of this: please also request removal of
those packages from experimental which were accidently uploaded there! thanks for
that too & already!


--
cheers,
Holger

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄

The past is over.

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmXD4poACgkQCRq4Vgaa qhycThAAioozKE+b3RG9FXGG2bV2ezKEoDUjmOjrhemNyBPJUTgTXcDrX6VXInA0 hsDbN0Yb8IKZDmq/FeTVgLabjj3NJtoDR+09+fuF0EE6kptf7oz0qashuFcwEjYg NCYdmaTEBw87IFBvDLvAQn3OR3B2CVKPi9sQhNAPjKV9bRhk8QUL/GUnkhphKBNF Wfg+m/usfF4eR3xdMArU50gUcE+4NX1FyPGWfPHpHmhzQai6i4L2grXr6B/w/sAc wMQrTACIIwxuZicWX2kIC+Iy9R4g7PDZ8Qrtntt6KJbXmkHJLTw4TQdorULcs1YG FIhoxU2G1cAGhcig5/dFigwsy2H1RU11ncR9r1A41a0Bot+EbhTBC+69g10fRB6q 1BvlmFaBuKw4SF7lFpSTyeVsKQjWp03yKD75dHxg4NC8bepxtGoA1kcR94RBiWaU rCi7JluW21kQLIEr/MxvfnV38LSFcf6vBRRyyQccGXfyIN51rBHjX4sMypY/FbtW KmPxLyTe0zMknwYVB3CQg66ejnX0NThmXM28w5vmK1I1rDMBg7ZAANQQ8Bk7eoI2 MIfLXagwV/IE/KcBalKoRSG73B+mOeYNDZ36DjvU+Lz02pH93o7sLvTE84ikvA+9 YEFA3fMAte/ue8o2vt/XcUoFgpvbI

Control: reopen -1

Revisiting this because somehow I didn't receive the original bug closure email, and overlooked the contents of the explanation.

On Wed, Feb 07, 2024 at 08:05:52PM +0000, Holger Levsen wrote:

On Wed, Feb 07, 2024 at 04:25:17PM +0000, Luca Boccassi wrote:

Control: tags -1 -pending
Control: close -1

[...]

There are no mentions of 'time_t' in the public headers of this
library. The logs shows that it's a false positive, as the automated
tool simply wasn't able to build it:

[...]

Closing as not applicable.

This is not sufficient reason to consider the bug a false-positive. time_t
is *not* the only type eaffected by this, and the entire reason that we use abi-compliance-checker for identifying packages that need uploaded is to
ensure we have deep inspection of the exposed types via a compiler rather
than a grep that we know will have false-negatives.

So, I'm reopening this bug report. This package has already been skipped
over in the short term for NMUing to unstable, so you can take some
additional time to do your own analysis - but barring that, I will plan to
do the NMU in 2 days.

--
Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEErEg/aN5yj0PyIC/KVo0w8yGyEz0FAmXflHIACgkQVo0w8yGy Ez3VmRAAuI0HKgWjV0PYyE8cquKDTiChd/Be1RtEL9LWqMWGl1tVGXirV/fMgw7y NLa5RbEx9ElUREDci2YmpfJ5ZTTFqcrrHeFC6k54c16W1BK1265LahzyPGApwg+W d3mTYGKbJE9g8wOs3EbHDCyVfVw/6gvDwgQI/1YcuM61O88184FzBUGUknyxy0sE NoOm/Gyqb2S/uLuptuz4AVpbH4M6Xiw4NJTzXDDgsn3FT6XyJkAOnEnrU1ws0Vct dT77qGQ7FFGhdMHo5bXZwToAB4wDidkAxw58InbCvxi3jtWf+RaAzT4PtnfK/sna E+/IwKGeUaP/PendUCHFdda+CkA4XlUXTW49ZhxVGYE4lHkV58kdgYlSdy3N9ID1 YmxBcb/clpr0GSdh9ZWImcmUtzFqMuQmSnZcNtrDnhQyHtKoZFEVvAKMPDLa//MG Ahe78tBDvtYofiFgBDBn5hzQQDAzSmS5EY3+MJpVlaX8FVHtneMM9hDnGb5bkByd p3kobzL3ypyed5ApBt+rCUguC1oGeKGsn40bldZxsbIpc8ss/RPMU/HXbHXn7CLM 43kLo7GPrgIAE/YgsZ1N

On Wed, Feb 28, 2024 at 09:38:06PM +0000, Luca Boccassi wrote:

On Wed, 28 Feb 2024 at 20:15, Steve Langasek <vorlon@debian.org> wrote:

On Wed, Feb 07, 2024 at 08:05:52PM +0000, Holger Levsen wrote:

On Wed, Feb 07, 2024 at 04:25:17PM +0000, Luca Boccassi wrote:

Control: tags -1 -pending
Control: close -1

[...]

There are no mentions of 'time_t' in the public headers of this library. The logs shows that it's a false positive, as the automated tool simply wasn't able to build it:

[...]

Closing as not applicable.

This is not sufficient reason to consider the bug a false-positive. time_t is *not* the only type eaffected by this, and the entire reason that we use abi-compliance-checker for identifying packages that need uploaded is to ensure we have deep inspection of the exposed types via a compiler rather than a grep that we know will have false-negatives.

Well, the title of this bug is "NMU diff for 64-bit time_t
transition", and the bug description said:

"we have identified libcomps as a source package shipping runtime
libraries whose ABI either is affected by the change in size of
time_t, or could not be analyzed via abi-compliance-checker"

So the fact that there's no trace of time_t to be found and the script
was broken and couldn't find anything either sounds to me more than
enough to say it is a false positive.
If there are more things that can affect this, then the bug
description ought to at least mention what they are and why, but right
now it doesn't.

So, I'm reopening this bug report. This package has already been skipped over in the short term for NMUing to unstable, so you can take some additional time to do your own analysis - but barring that, I will plan to do the NMU in 2 days.

If you can fix the script and show it is actually needed then sure,
please feel free to reopen and show that it's actually needed. But
otherwise no, having to carry a silly package name forever "just in
case" is very much not ok, sorry.

Seven months ago, the fact that we did not have capacity to fix every
library package that ships broken headers was communicated to debian-devel
and that if maintainers wanted to be sure they didn't get an unnecessary transition, they were welcome to contribute patches to the analysis scripts
or fix their packages to make the headers analyzable.

The log showing the headers are broken is at

https://adrien.dcln.fr/misc/armhf-time_t/2024-02-26T12%3A07%3A00/logs/libcomps-dev/base/abi-compliance-checker.log

I'm not going to argue with you about this. Expect an NMU incoming.

--
Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEErEg/aN5yj0PyIC/KVo0w8yGyEz0FAmXftm0ACgkQVo0w8yGy Ez01IBAAjmwlu4wl+D+2LNuCQviIuHvDnjfmgEB07CZdctIsQskg47ia4TR5COU6 Fk8xiiiP6tEJkJLfHA+P/kQK697Ts3GUyq8YqkJyDLWVtvm9iF/oINrxdxZdwHr2 abPOpNc1RTd1ckmKKwZ2N837I8MnbtdTdn6yOXXZtoqYVmVe7OW+hb+5vQ57wV9O C3qsAHa3i0SdIilQ0C/TYSLfhMsc0xUo3BEkg4CJLXGXmLvi2zLO+sosbzlDVXRj n3Qzxrud5t2AxRRrWDI+5F3oqiFg5G7C/IsOs13mG2Bki3jbt44HN932xzyOSS4j p6VbP/tfe09O8LN9hmV5rAMzzKbiOATJuxkggIVQ9EHFEWLuwzs4R8t4ZRjx/RZ4 zjbWOnjH9mHwp1+sUhsapCEckKqzo0eslG5WtLvuE0P9q6juecX6L1qXzBP7hFb+ IBTeCWkk4vjVeGFof9vf/xYLmuX/3rHFL0rpzhyelwO9F3QnBv4tmms3BAOPlneK CaxKEneeYhOObRc6p1rhQ2uz/S7FhzdWi+8vLlTGVwRJkj1lSFPDb3gr3zmehbqQ nDiGtBshVwZ+f/4keRoz

On Wed, 28 Feb 2024 at 22:40, Steve Langasek <vorlon@debian.org> wrote:

On Wed, Feb 28, 2024 at 09:38:06PM +0000, Luca Boccassi wrote:

On Wed, 28 Feb 2024 at 20:15, Steve Langasek <vorlon@debian.org> wrote:

On Wed, Feb 07, 2024 at 08:05:52PM +0000, Holger Levsen wrote:

On Wed, Feb 07, 2024 at 04:25:17PM +0000, Luca Boccassi wrote:

Control: tags -1 -pending
Control: close -1

[...]

There are no mentions of 'time_t' in the public headers of this library. The logs shows that it's a false positive, as the automated tool simply wasn't able to build it:

[...]

Closing as not applicable.

This is not sufficient reason to consider the bug a false-positive. time_t
is *not* the only type eaffected by this, and the entire reason that we use
abi-compliance-checker for identifying packages that need uploaded is to ensure we have deep inspection of the exposed types via a compiler rather than a grep that we know will have false-negatives.

Well, the title of this bug is "NMU diff for 64-bit time_t
transition", and the bug description said:

"we have identified libcomps as a source package shipping runtime
libraries whose ABI either is affected by the change in size of
time_t, or could not be analyzed via abi-compliance-checker"

So the fact that there's no trace of time_t to be found and the script
was broken and couldn't find anything either sounds to me more than
enough to say it is a false positive.
If there are more things that can affect this, then the bug
description ought to at least mention what they are and why, but right
now it doesn't.

So, I'm reopening this bug report. This package has already been skipped over in the short term for NMUing to unstable, so you can take some additional time to do your own analysis - but barring that, I will plan to
do the NMU in 2 days.

If you can fix the script and show it is actually needed then sure,
please feel free to reopen and show that it's actually needed. But otherwise no, having to carry a silly package name forever "just in
case" is very much not ok, sorry.

Seven months ago, the fact that we did not have capacity to fix every
library package that ships broken headers was communicated to debian-devel and that if maintainers wanted to be sure they didn't get an unnecessary transition, they were welcome to contribute patches to the analysis scripts or fix their packages to make the headers analyzable.

Sorry, that's not how it works. If you report a bug, you need to
provide enough information to prove that there really is a bug. If you
don't have the capacity or time, that's fine, but it means nothing
gets changed.

I'm not going to argue with you about this. Expect an NMU incoming.

Expect it to be immediately followed by a revert.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 29 Feb 2024 at 17:12, Steve Langasek <vorlon@debian.org> wrote:

On Wed, Feb 28, 2024 at 09:38:06PM +0000, Luca Boccassi wrote:

Well, the title of this bug is "NMU diff for 64-bit time_t
transition", and the bug description said:

"we have identified libcomps as a source package shipping runtime
libraries whose ABI either is affected by the change in size of
time_t, or could not be analyzed via abi-compliance-checker"

So the fact that there's no trace of time_t to be found and the script
was broken and couldn't find anything either sounds to me more than
enough to say it is a false positive.
If there are more things that can affect this, then the bug
description ought to at least mention what they are and why, but right
now it doesn't.

So, I'm reopening this bug report. This package has already been skipped over in the short term for NMUing to unstable, so you can take some additional time to do your own analysis - but barring that, I will plan to
do the NMU in 2 days.

If you can fix the script and show it is actually needed then sure,
please feel free to reopen and show that it's actually needed. But otherwise no, having to carry a silly package name forever "just in
case" is very much not ok, sorry.

We have done the work now to get an out-of-band result from abi-compliance-checker confirming that this library's ABI is not affected.

That's great, thanks for checking.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)