Bug#574956: dpkg drops zero-epoch in status file

Guillem Jover guillem at debian.org
Fri Apr 30 16:31:42 UTC 2010 

Hi!

On Fri, 2010-04-30 at 12:56:08 +0200, David Kalnischkies wrote:
> The problem:
> To compare versions with the same version number apt generates
> a hash over a few informations which are available online and
> in dpkgs status file: all dependencies and the installation size.
> (as these are likely to change if this is another version)

[...]

> we can see that dpkg in his status file drops the zero-epoch.
> This doesn't change the semantic as zero-epoch and no epoch are
> considered equal, but as apt uses the string without deeper
> parsing at this stage this is a big difference in the hash.
> ( can be seen in apt-pkg/deb/deblistparser.cc VersionHash() )

The same problem arises with non-significant zeros before digits, for
example:

  0.001 == 0.1 == 00:000.1

Although this might be trickier to see in the wild, as dpkg itself
would not normalize these versions, but an unknowing packager could
generate those (somehow) thinking they are different.

> Quick&Dirty workaround is to drop the zero-epoch in the package
> so the Packages and status file are equal again. (cc'ed perl group
> and last uploader, maybe they want to do that)
>
> The real solution is to either tell apt to strip out the zero-epoch for
> the hash or to tell dpkg to not remove the zero-epoch in status.

> It is relatively easy for apt to ignore the epoch for the hash as it is
> a simple hash and we don't need to care about false positive removes
> so apt still doesn't need to do expensive parsing here, but i want
> to ask dpkg maintainers (cc'ed and titled to grep their attension)
> for their opinion as this is maybe something they want to change
> instead in their logic for consistence…
> (through no zero epoch could be a change to be consistence…).

I don't think dpkg should stop removing the zero-epoch, it would be
redundant and confusing information. But it might be a good idea to
make dpkg-gencontrol for example drop it on output. And it seems that
apt might need to consider the other equivalent versions too.

regards,
guillem

More information about the pkg-perl-maintainers mailing list