Bug#992199: perl: bumping Breaks for small patches doesn't work with versioned Provides
Niko Tyni
ntyni at debian.org
Sun Aug 15 18:14:21 BST 2021
Source: perl
Version: 5.32.1-5
While fixing https://security-tracker.debian.org/tracker/CVE-2021-36770 in
Encode, we noticed that we could not bump the Breaks in libperl5.32 the
way we expected to forbid a combination of a patched Perl core package
and an unpatched separate libencode-perl package. (The problem about
this combination is that the separate package has precedence on @INC,
so it hides the fixed version.)
Specifically, as perl Provides: libencode-perl (= 3.06) we couldn't make
libperl5.32 Break libencode-perl (<< 3.08-1+deb11u1) as that would have
made perl uninstallable. Bumping the Provides to 3.06-1+deb11u1 would
not help, and bumping them past 3.08 would be lying. The best I came
up with would be to add an epoch, and that seemed too intrusive.
In the context of security updates, it does not seem surprising that a
partial upgrade can leave the system vulnerable. So we decided to live
with this.
I'm filing this mostly to document the general issue. I'm not sure if
there's a solution other than the epoch one, but maybe somebody else
finds one. If not, we can probably live with it in the future too.
The last time we needed this feature was in 5.26.1-4, before we adopted
versioned Provides.
--
Niko
More information about the Perl-maintainers
mailing list