[Bug 1990856] [NEW] Does not consider all versions in Packages files

[Dan Watkins]

Public bug reported:

Some implementations of apt mirror metadata generation generate Packages
files which are not alpha-sorted by package name.  apt and britney2
handle these files without issue, but debootstrap does not: it will only
consider the first contiguous run of stanzas for a package (taking the
last stanza as the latest).

When running debootstrap against a mirror with such Packages files,
debootstrap can fail to resolve versioned dependencies which _are_
present in the Packages file, if the satisfying package version isn't
within the first contiguous run of stanzas for that package.  This leads
to avoidable bootstrap failures.  (The specific case we hit: each
e2fsprogs package Pre-Depends on the libext2fs2 package with the same
version: `dpkg --predep-package` finds the newer e2fsprogs version and
reports that libext2fs2 needs installing, but debootstrap has already
installed (the old) libext2fs2 so errors out.)

The problem lies in the pkgdetails_field function (which is implemented
in Perl):
https://git.launchpad.net/ubuntu/+source/debootstrap/tree/functions#n1439.
It takes a list of expected packages and, once it has found a version
for all of them, exits (even if there is more of the Packages file to
process).  It does already have special-casing for multiple versions of
the same package, but only if they are a contiguous run.  (That
behaviour was introduced by cjwatson in 1.0.38[0] to fix
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=649319: that bug
report also has useful background info on why multiple versions of a
package in metadata should be supported).

[0] https://salsa.debian.org/installer-
team/debootstrap/-/commit/0fbf86aa8fbcd06cb62fddddcfd4605fef2ee8b2

** Affects: debootstrap (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to debootstrap in Ubuntu.
https://bugs.launchpad.net/bugs/1990856

Title:
  Does not consider all versions in Packages files

Status in debootstrap package in Ubuntu:
  New

Bug description:
  Some implementations of apt mirror metadata generation generate
  Packages files which are not alpha-sorted by package name.  apt and
  britney2 handle these files without issue, but debootstrap does not:
  it will only consider the first contiguous run of stanzas for a
  package (taking the last stanza as the latest).

  When running debootstrap against a mirror with such Packages files,
  debootstrap can fail to resolve versioned dependencies which _are_
  present in the Packages file, if the satisfying package version isn't
  within the first contiguous run of stanzas for that package.  This
  leads to avoidable bootstrap failures.  (The specific case we hit:
  each e2fsprogs package Pre-Depends on the libext2fs2 package with the
  same version: `dpkg --predep-package` finds the newer e2fsprogs
  version and reports that libext2fs2 needs installing, but debootstrap
  has already installed (the old) libext2fs2 so errors out.)

  The problem lies in the pkgdetails_field function (which is
  implemented in Perl):
  https://git.launchpad.net/ubuntu/+source/debootstrap/tree/functions#n1439.
  It takes a list of expected packages and, once it has found a version
  for all of them, exits (even if there is more of the Packages file to
  process).  It does already have special-casing for multiple versions
  of the same package, but only if they are a contiguous run.  (That
  behaviour was introduced by cjwatson in 1.0.38[0] to fix
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=649319: that bug
  report also has useful background info on why multiple versions of a
  package in metadata should be supported).

  [0] https://salsa.debian.org/installer-
  team/debootstrap/-/commit/0fbf86aa8fbcd06cb62fddddcfd4605fef2ee8b2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/debootstrap/+bug/1990856/+subscriptions