[Bug 1934992] Re: rsync 3.2.x in Groovy depends on broken libxxhash 0.7.x

Sat Jul 10 08:08:00 UTC 2021

Thanks, Robie, for the excellent response.

> Actually I'm not sure it's a symbol versioning issue now.

Maybe this example can persuade you that there is a problem between
(lib)xxhash in Focal and in Groovy:

  focal$ xxh128sum <(echo -n)
  07fd4e968e916ae11f17545bce1061f1  /dev/fd/63

  groovy$ xxh128sum <(echo -n)
  99aa06d3014798d86001c324468d497f  /dev/fd/63

> I suggest you find the fix and send it to wherever
> the problem originates in our ecosystem (maybe Debian?
> Or perhaps xxhash upstream?). Unless a supported
> use case is presented, I think it's unlikely that
> we'll carry a patch for this in Ubuntu.

I think I can safely say now that the problem originates in the Debian
package:

if the symbols file is altered as I have done here [1] the problem goes away:
[1] https://github.com/norbusan/debian-xxhash/issues/3 
```

--- a/debian/libxxhash0.symbols
+++ b/debian/libxxhash0.symbols
@@ -1,9 +1,9 @@
 libxxhash.so.0 libxxhash0 #MINVER#
- XXH128 at Base 0.7.0
- XXH128_canonicalFromHash at Base 0.7.1
+ XXH128 at Base 0.8.0
+ XXH128_canonicalFromHash at Base 0.8.0
...
```
A rebuild of rsync against a libxxhash0 with the above symbol changes will properly Depend on 0.8.0+.


I am just not intimately familiar with the rules for these symbol files, so I'm not 100% sure if the above changes are "legal". Can you shed some light on this?


> I'd appreciate a fix at the origin of the problem,
> and that would go into a subsequent Ubuntu release

Well. If we get the symbols file updated so it says 0.8.0, then
subsequent updates from Debian would trickle into Ubuntu. Then any _new_
builds (of for example rsync) against the updated libxxhash library
package would get the dependencies fixed.

That does leave the problem of libxxhash 0.7.x on Ubuntu/Focal:

- it has a broken xxh128sum binary
- it exposes access to old/invalid xxh128 functions leading to possible future problems when people start upgrading their libxxhash0

To remedy that, I would suggest a rebuild of xxhash + libxxhash0 on
Focal where all xxh128 symbols/functionality is removed/blacklisted.

I could do some quilting that simply `#if 0`'s the relevant code. Is
this something that would be accepted?


** Bug watch added: github.com/norbusan/debian-xxhash/issues #3
   https://github.com/norbusan/debian-xxhash/issues/3

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to xxhash in Ubuntu.
https://bugs.launchpad.net/bugs/1934992

Title:
  rsync 3.2.x in Groovy depends on broken libxxhash 0.7.x

Status in xxhash package in Ubuntu:
  Triaged
Status in xxhash source package in Groovy:
  Won't Fix

Bug description:
  **Problem**

    $ rsync root at focal-system:/etc/.pwd.lock . 
    ERROR: .pwd.lock failed verification -- update discarded.
    rsync error: some files/attrs were not transferred (see previous errors)
      (code 23) at main.c(1816) [generator=3.2.3]

  
    $ rsync root at focal-system:/etc/.pwd.lock . --debug=all
    opening connection using: ssh -l root focal-system rsync --server --sender \
      -e.LsfxCIvu . /etc/.pwd.lock  (10 args)
    (Client) Protocol versions: remote=31, negotiated=31
    Client negotiated checksum: xxh128
    ...

  
  **Cause**

    focal-system# dpkg -l | grep -E 'libxxhash|rsync'
    ii  libxxhash0:amd64  0.7.3-1         amd64
    ii  rsync             3.2.3-2ubuntu1  amd64

  
  **Why this affects only us and not more people?**

  On Ubuntu/Focal, there is no rsync 3.2.3, only 3.1.3-8. But because we
  need the lz4 compression support we've fetched a newer rsync (from
  Groovy).

  However: the rsync 3.2.3 depends on libxxhash0 0.7.1+, while in fact
  it needs 0.8+.

  
  **Details**
    
  On a Ubuntu/Focal system we have installed a rsync 3.2.3 package from Ubuntu/Groovy because we need the lz4 compression support.

  
  focal-system# apt-cache show rsync
  Package: rsync
  ...
  Version: 3.2.3-2ubuntu1
  Depends: lsb-base, libacl1 (>= 2.2.23), libc6 (>= 2.15),
    liblz4-1 (>= 0.0~r130), libpopt0 (>= 1.14), libssl1.1 (>= 1.1.0),
    libxxhash0 (>= 0.7.1), libzstd1 (>= 1.3.8), zlib1g (>= 1:1.1.4)
  ...

  
  Alongside this we had libxxhash0 0.7.3-1 from Focal:

  focal-system# apt-cache policy libxxhash0
  libxxhash0:
    Installed: 0.7.3-1
    Candidate: 0.7.3-1
    Version table:
   *** 0.7.3-1 500
          500 http://ARCHIVE/ubuntu focal/universe amd64 Packages
          100 /var/lib/dpkg/status

  
  According to the dependencies, this should work. But the combination does not, as this quote from the rsync maintainer would tell you:
  https://github.com/WayneD/rsync/issues/122#issuecomment-737690913
  > Yeah, Cyan4973 could have told you that the 128-bit xxhash only
  > just stabilized in its 0.8.0 release, so anything older than
  > that isn't compatible.

  
  **The fix**

  As the maintainer points out, version 0.7 is not stable (= broken for
  our intents and purposes) and thus not fit for use with rsync 3.2.

  I would argue that it's a good idea to bump the dependency of rsync
  3.2.3 on Groovy to libxxhash0>=0.8

  After all, in Groovy there is a libxxhash0 0.8.0-1ubuntu1.20.10.1, so
  that would not be a problem. And it would fix issues for those mixing
  and matching packages.

  
  Thanks!

  Walter Doekes
  OSSO B.V.

  
  (*) possible patch:

  $ diff -pu debian/control{.orig,}
  --- debian/control.orig	2021-07-08 09:56:57.646861644 +0200
  +++ debian/control	2021-07-08 09:57:38.499029903 +0200
  @@ -8,7 +8,7 @@ Build-Depends: debhelper-compat (= 13),
                  libacl1-dev,
                  libpopt-dev,
                  liblz4-dev,
  -               libxxhash-dev,
  +               libxxhash-dev (>= 0.8),
                  libzstd-dev,
                  zlib1g-dev,
                  libssl-dev

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xxhash/+bug/1934992/+subscriptions

