Bug#846232: [pkg-gnupg-maint] Bug#846232: libgpgme-dev: Provides: libgpgme11-dev must be versioned

Adrian Bunk bunk at stusta.de
Wed Nov 30 19:16:20 UTC 2016 

On Wed, Nov 30, 2016 at 01:53:33PM -0500, Daniel Kahn Gillmor wrote:
> Control: reassign 846232 libopenvas-dev
> Control: affects 846232 + libgpgme-dev
> Control: tags 846232 + patch
> 
> Hi Adrian--

Hi Daniel,

> thanks for the heads-up!
> 
> On Tue 2016-11-29 07:57:28 -0500, Adrian Bunk wrote:
> > Package: libgpgme-dev
> > Version: 1.8.0-2
> > Severity: serious
> > Control: affects -1 libopenvas-dev
> >
> > libopenvas-dev depends on libgpgme11-dev (>=3D 1.1.2), to make libopenvas-dev
> > installable again the Provides in libgpgme11-dev must be versioned.
> 
> hm, i'm not sure about this.  from debian policy 3.9.8.0,
> 
> file:///usr/share/doc/debian-policy/policy-1.html#s-virtual (§ 7.5)
> says:
> 
>     If a relationship field has a version number attached, only real
>     packages will be considered to see whether the relationship is
>     satisfied (or the prohibition violated, for a conflict or
>     breakage). In other words, if a version number is specified, this is
>     a request to ignore all Provides for that package name and consider
>     only real packages. The package manager will assume that a package
>     providing that virtual package is not of the "right" version. A
>     Provides field may not contain version numbers, and the version
>     number of the concrete package which provides a particular virtual
>     package will not be considered when considering a dependency on or
>     conflict with the virtual package name.[52]
> 
>     [=E2=80=A6]
> 
>     [52] It is possible that a future release of dpkg may add the
>          ability to specify a version number for each virtual package it
>          provides. This feature is not yet present, however, and is
>          expected to be used only infrequently.
> 
> So i think that the place to fix the problem is in libopenvas-dev,
> right?  Please consider the attached patch.
> 
> Feel free to reassign back if you think that this analysis is wrong and
> can help me see what the right evaluation is.

I wondered the same before writing the bug.

The answer I got on #debian-devel is that this is one case where the 
policy document is outdated (support for versioned Provides is already 
available in jessie, so upgrades are covered).

With one rdep your patch is as good at fixing this problem as my 
suggestion (but I am not involved in maintaining either package).

> > Severity set RC, since this prevents testing migration of gpgme1.0
> 
> Agreed that this migration blocker is serious.
> 
> Regards,
> 
>        --dkg

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

More information about the Pkg-security-team mailing list