1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL

  • RFC: Additions to dpkg's Pre-Depends

    From Guillem Jover@21:1/5 to All on Wed Jul 6 05:20:01 2022
    XPost: linux.debian.maint.dpkg

    Hi!

    As per Debian policy §3.5, and given dpkg “Essential: yes” nature, I'm bringing up the following potential additions to dpkg's Pre-Depends,
    and whether there is consensus about each of them individually and independently.

    * libmd-dev
    - Rationale:
    src:dpkg currently has its embedded MD5 implementation. On non-Debian
    (and derivatives) it will default to use the message digest function
    from either the system libmd or libc. I'd eventually like to be able
    to remove the embedded code, which is there mostly for Debian. And to
    be able to rely on SHA variants, for fsys metadata tracking and
    similar (and not have to embed those too). I'd rather not add
    support nor link against a crypto library like libgcrypt which might
    already be present on the pseudo-essential set (currently, but could
    go away easily with the OpenSSL license change), as these functions
    are currently used for data integrity rather than for security, and
    would/could get broken with stuff like FIPS enabled.

    - Essential/Build-Essential:
    AFAIR it is already part of the cross bootstrap set? But not of the
    pseudo-build-essential or pseudo-essential sets. Most systems have
    it installed via libbsd. On minimal systems it would increase the
    installed size by around 80 KiB.

    - Disclosure:
    I maintain this in Debian and I'm upstream.

    * libaudit-dev
    - Rationale:
    This could allow to add Linux audit support to dpkg on package action
    events. I've got a branch that might need minor polishing, but could
    otherwise be merged.

    - Essential/Build-Essential:
    On Linux it is already part of the pseudo-essential set.

    * libacl-dev
    - Rationale:
    This could allow in the future (either later in 1.21.x or 1.22.x) to
    support ACLs as part of the fsys metadata tracking support that is
    upcoming.

    - Essential/Build-Essential:
    It is already part of the pseudo-essential set.

    - Disclosure:
    I maintain this in Debian.

    * libcap-dev
    - Rationale:
    This could allow to add support to start-stop-daemon (already code
    available) to drop POSIX capabilities. And also in the future (either
    later in 1.21.x or 1.22.x) to support fsys POSIX capabilities as part
    of the fyss metadata tracking support that is upcoming.

    - Essential/Build-Essential:
    On Linux it is already part of the pseudo-essential set.

    * libzstd-dev
    - Rationale:
    This could allow to add zstd support for .debs via the library. This
    is mostly to leave the door open to that possibility, as I'm still
    pondering whether to perhaps add the support in Debian via the CLI
    and just add those via Recommends or similar. Also there are still
    concerns about the library and I have to note I'm rather unhappy
    with how Ubuntu pushed this, and diverged the .deb ecosystem,
    forcing upstream's hand here. :(
    More details at <https://bugs.debian.org/892664#114>.

    - Essential/Build-Essential:
    On Linux it is already part of the pseudo-essential set.

    Thanks,
    Guillem

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andreas Henriksson@21:1/5 to Guillem Jover on Wed Jul 6 17:00:01 2022
    XPost: linux.debian.maint.dpkg

    On Wed, Jul 06, 2022 at 05:13:05AM +0200, Guillem Jover wrote:
    Hi!
    [...]
    * libaudit-dev
    - Rationale:
    This could allow to add Linux audit support to dpkg on package action
    events. I've got a branch that might need minor polishing, but could
    otherwise be merged.

    - Essential/Build-Essential:
    On Linux it is already part of the pseudo-essential set.
    [...]
    * libcap-dev
    - Rationale:
    This could allow to add support to start-stop-daemon (already code
    available) to drop POSIX capabilities. And also in the future (either
    later in 1.21.x or 1.22.x) to support fsys POSIX capabilities as part
    of the fyss metadata tracking support that is upcoming.

    - Essential/Build-Essential:
    On Linux it is already part of the pseudo-essential set.
    [...]

    IIRC there are several competing capability libraries already part of
    pseudo essential. I think it would be good if we could identify one and
    work towards having only that in pseudo essential (and in theory maybe
    the entire archive use it). Maybe it's out of scope for this discussion though...

    Unless I'm mistaken if dpkg dep on libcap(2) and libaudit, then dpkg
    would transitively dep on both libcap(2) and libcap-ng which seems
    suboptimal.

    https://tracker.debian.org/pkg/libcap2
    https://tracker.debian.org/pkg/libcap-ng

    Regards,
    Andreas Henriksson

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Guillem Jover@21:1/5 to Andreas Henriksson on Wed Jul 6 17:40:01 2022
    XPost: linux.debian.maint.dpkg

    On Wed, 2022-07-06 at 16:45:18 +0200, Andreas Henriksson wrote:
    On Wed, Jul 06, 2022 at 05:13:05AM +0200, Guillem Jover wrote:
    [...]
    * libaudit-dev
    - Rationale:
    This could allow to add Linux audit support to dpkg on package action
    events. I've got a branch that might need minor polishing, but could
    otherwise be merged.

    - Essential/Build-Essential:
    On Linux it is already part of the pseudo-essential set.
    [...]
    * libcap-dev
    - Rationale:
    This could allow to add support to start-stop-daemon (already code
    available) to drop POSIX capabilities. And also in the future (either
    later in 1.21.x or 1.22.x) to support fsys POSIX capabilities as part
    of the fyss metadata tracking support that is upcoming.

    - Essential/Build-Essential:
    On Linux it is already part of the pseudo-essential set.
    [...]

    IIRC there are several competing capability libraries already part of
    pseudo essential. I think it would be good if we could identify one and
    work towards having only that in pseudo essential (and in theory maybe
    the entire archive use it). Maybe it's out of scope for this discussion though...

    Ah, sorry, should have included that as part of the rationale too.

    When I looked into this, I checked both libraries, their size, the
    amount of users and their APIs. And my conclusion was that libcap-dev
    looked like a better choice, even if it might be supposedly harder to
    use (which I found it to be the reverse, given it has an explicit API,
    instead of one based on hidden global state), but then libcap-dev API
    could always be improved or a new higher-level layer added on top.

    * libcap-ng-dev
    - Installed size 66 KiB.
    - 27 source packages Build-Depend* on it.
    - Uses (thread-local) hidden global state, when dealing with files
    f.ex, which makes this unintuitive and rather unattractive when
    being used from a library (eventually this would end up in
    libdpkg.so), after that I didn't look further into this library.
    I think ideally this this library could have been either built on
    top of libcap-dev, or any more higher-level interfaces added there.

    * libcap-dev
    - Installed size 65 KiB.
    - 121 source packages Build-Depend* on it.
    - The API looks less constrained and better to use from another
    library.

    (FWIW, I also think unifying on a single library distro-wide would be a
    nice goal, though.)

    Unless I'm mistaken if dpkg dep on libcap(2) and libaudit, then dpkg
    would transitively dep on both libcap(2) and libcap-ng which seems suboptimal.

    Yes, but its an internal implementation detail, so libaudit could be
    switched, and for now, at least they will not end up in the same address
    space. Of course pulling both is not ideal, but on Linux they are both
    already part of the pseudo-essential set anyway, and they are tiny
    compared to say the libzstd one, so…

    Thanks,
    Guillem

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Guillem Jover@21:1/5 to Guillem Jover on Wed Jul 6 17:50:01 2022
    XPost: linux.debian.maint.dpkg

    On Wed, 2022-07-06 at 17:30:22 +0200, Guillem Jover wrote:
    Unless I'm mistaken if dpkg dep on libcap(2) and libaudit, then dpkg
    would transitively dep on both libcap(2) and libcap-ng which seems suboptimal.

    Yes, but its an internal implementation detail, so libaudit could be switched, and for now, at least they will not end up in the same address space. Of course pulling both is not ideal, but on Linux they are both already part of the pseudo-essential set anyway, and they are tiny
    compared to say the libzstd one, so…

    I just noticed that libcap-ng and libaudit seem to share the same
    upstream, so while I might be wrong, I'd expect there could be some
    resistance to switch or add support for another POSIX capabilities
    library.

    If this was question where only one library can end up being used, I
    think I'd still take libcap over libcap-ng *and* libaudit.

    Thanks,
    Guillem

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Guillem Jover@21:1/5 to Guillem Jover on Fri Aug 5 21:20:01 2022
    XPost: linux.debian.maint.dpkg

    Hi!

    On Wed, 2022-07-06 at 05:13:05 +0200, Guillem Jover wrote:
    As per Debian policy §3.5, and given dpkg “Essential: yes” nature, I'm bringing up the following potential additions to dpkg's Pre-Depends,
    and whether there is consensus about each of them individually and independently.

    Given there's been no major concerns expressed, I'll start
    incrementally adding these dependencies, when the code is ready.

    Thanks,
    Guillem

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)