Debian Bug report logs - #462456
lintian: Please consider testing if files in -dbg packages retain Dynamic Section entries

version graph

Package: lintian; Maintainer for lintian is Debian Lintian Maintainers <lintian-maint@debian.org>; Source for lintian is src:lintian.

Reported by: Neil Williams <codehelp@debian.org>

Date: Thu, 24 Jan 2008 23:12:02 UTC

Severity: wishlist

Found in version lintian/1.23.42

Fixed in version lintian/1.23.43

Done: Russ Allbery <rra@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#462456; Package lintian. Full text and rfc822 format available.

Acknowledgement sent to Neil Williams <codehelp@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Neil Williams <codehelp@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: lintian: Please consider testing if files in -dbg packages retain Dynamic Section entries
Date: Thu, 24 Jan 2008 23:09:44 +0000
Package: lintian
Version: 1.23.42
Severity: wishlist

See #462007 - I have come across a non-obvious problem in the use of
-dbg packages using dh_strip where, if a .install file exists for the
-dbg package, dh_install copies the unstripped object into the -dbg
build directory. When dh_strip --dbg-package=libfoo-dbg is then called,
it silently omits the file from the call to objcopy --only-keep-debug
(to prevent an objcopy error), resulting in an unstripped object file
being retained in the -dbg package that has a complete (and fully
functional) copy of the library embedded inside - as shown by the
presence of a full Dynamic Section under objdump -p. Without the
.install file, dh_strip takes care of copying the debug symbols into
place directly - no .install command is actually needed.

The solution is to simply remove the debian/libfoo-dbg.install file.

However, the error goes undetected because dh_strip outputs no warnings,
lintian does not check for it (yet) and there is no particular sign of a
problem except the larger size of the files in the -dbg package. With a
new library package (or the addition of a new -dbg package to an
existing library source), this could easily be missed because all
debugging operations using the -dbg package are unaffected.

With the .install file present:
$ ll /usr/lib/debug/usr/lib/libqof*.so.*.*
-rw-r--r-- 1 root root  155585 2007-12-19 21:49
/usr/lib/debug/usr/lib/libqof-backend-qsf.so.0.0.7
-rw-r--r-- 1 root root   78554 2007-12-19 21:49
/usr/lib/debug/usr/lib/libqof-backend-sqlite.so.0.0.2
-rw-r--r-- 1 root root 1029686 2007-12-19 21:49
/usr/lib/debug/usr/lib/libqof.so.1.0.9

With the .install file removed:
$ debc | tail
drwxr-xr-x root/root         0 2008-01-24 22:53 ./usr/lib/debug/usr/lib/
-rw-r--r-- root/root    728646 2008-01-24 22:53
./usr/lib/debug/usr/lib/libqof.so.1.0.9
-rw-r--r-- root/root    103217 2008-01-24 22:53
./usr/lib/debug/usr/lib/libqof-backend-qsf.so.0.0.7
-rw-r--r-- root/root     47930 2008-01-24 22:53
./usr/lib/debug/usr/lib/libqof-backend-sqlite.so.0.0.2

It should be relatively simple for lintian to check for entries in the
Dynamic Section under objdump -p - the 'Dynamic Section' will be present
but a listing in that section should, IMHO, be a lintian warning.

"dbg-package-with-dynamic-section-entries"
"The ${name} debug package may contain an embedded copy of the unstripped
library ${name} instead of only the debugging symbols. Please check that
you have not tried to install the ${name} library into the -dbg package,
either manually or via a debian/${name}-dbg.install file. There is no
need to install ${filename} into the -dbg package as 
dh_strip --dbg-package=${name}-dbg will do it for you."

How does that sound?


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.22-2-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages lintian depends on:
ii  binutils            2.18.1~cvs20080103-1 The GNU assembler, linker and bina
ii  diffstat            1.45-2               produces graph of changes introduc
ii  dpkg-dev            1.14.16.4            package building tools for Debian
ii  file                4.23-1               Determines file type using "magic"
ii  gettext             0.17-2               GNU Internationalization utilities
ii  intltool-debian     0.35.0+20060710.1    Help i18n of RFC822 compliant conf
ii  libparse-debianchan 1.1.1-2              parse Debian changelogs and output
ii  liburi-perl         1.35.dfsg.1-1        Manipulates and accesses URI strin
ii  man-db              2.5.0-4              on-line manual pager
ii  perl [libdigest-md5 5.8.8-12             Larry Wall's Practical Extraction 

lintian recommends no packages.

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#462456; Package lintian. Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. Full text and rfc822 format available.

Message #10 received at 462456@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: Neil Williams <codehelp@debian.org>
Cc: 462456@bugs.debian.org
Subject: Re: Bug#462456: lintian: Please consider testing if files in -dbg packages retain Dynamic Section entries
Date: Thu, 24 Jan 2008 15:33:31 -0800
Neil Williams <codehelp@debian.org> writes:

> Package: lintian
> Version: 1.23.42
> Severity: wishlist
>
> See #462007 - I have come across a non-obvious problem in the use of
> -dbg packages using dh_strip where, if a .install file exists for the
> -dbg package, dh_install copies the unstripped object into the -dbg
> build directory. When dh_strip --dbg-package=libfoo-dbg is then called,
> it silently omits the file from the call to objcopy --only-keep-debug
> (to prevent an objcopy error), resulting in an unstripped object file
> being retained in the -dbg package that has a complete (and fully
> functional) copy of the library embedded inside - as shown by the
> presence of a full Dynamic Section under objdump -p. Without the
> .install file, dh_strip takes care of copying the debug symbols into
> place directly - no .install command is actually needed.

Some people intentionally put debugging builds of their libraries into the
-dbg package instead of detached debugging symbols.  I think this test
might give false positives for that case.  (Or are such library builds not
seupposed to go into /usr/lib/debug?)

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#462456; Package lintian. Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. Full text and rfc822 format available.

Message #15 received at 462456@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: 462456@bugs.debian.org
Cc: Neil Williams <codehelp@debian.org>, 461339@bugs.debian.org
Subject: Re: Bug#462456: lintian: Please consider testing if files in -dbg packages retain Dynamic Section entries
Date: Fri, 25 Jan 2008 16:24:04 +0200
[ joeyh: it looks like you missed /emul in the dh_shlibdeps list, so
  CCing #461339. ]

On Thu, Jan 24, 2008 at 03:33:31PM -0800, Russ Allbery wrote:
> Neil Williams <codehelp@debian.org> writes:
> 
> > Package: lintian
> > Version: 1.23.42
> > Severity: wishlist
> >
> > See #462007 - I have come across a non-obvious problem in the use of
> > -dbg packages using dh_strip where, if a .install file exists for the
> > -dbg package, dh_install copies the unstripped object into the -dbg
> > build directory. When dh_strip --dbg-package=libfoo-dbg is then called,
> > it silently omits the file from the call to objcopy --only-keep-debug
> > (to prevent an objcopy error), resulting in an unstripped object file
> > being retained in the -dbg package that has a complete (and fully
> > functional) copy of the library embedded inside - as shown by the
> > presence of a full Dynamic Section under objdump -p. Without the
> > .install file, dh_strip takes care of copying the debug symbols into
> > place directly - no .install command is actually needed.
> 
> Some people intentionally put debugging builds of their libraries into the
> -dbg package instead of detached debugging symbols.  I think this test
> might give false positives for that case.  (Or are such library builds not
> seupposed to go into /usr/lib/debug?)

As I understand this:
 - detached debugging symbols go to /usr/lib/debug/$FULLPATH, 
   eg. /usr/lib/debug/usr/lib/libperl.so.5.8.8, where gdb will find them
 - the few cases where a separate debugging build is preferred, it goes 
   directly under /usr/lib/debug, eg. /usr/lib/debug/libc.so.6, so it
   can be used through LD_LIBRARY_PATH.

See also the GDB manual, section 15.2:

 http://sourceware.org/gdb/current/onlinedocs/gdb_16.html#SEC156

This is also what dh_shlibdeps currently relies on. Quoting joeyh in #461339:

> It seems possible, though unlikely, that a debug library might be
> installed in /usr/lib/deubg/$foo/ rather than directly in
> /usr/lib/debug/. So only looking in /usr/lib/debug/*.so* or the like
> might miss some that should be processed.

> I'm pretty sure that anything in
> /usr/lib/debug/{lib,lib64,usr,bin,sbin,opt,dev}/ is going to be
> separated debug symbols, and it could just ignore those directories and
> process the rest.

I can't see anything about this in the policy, and the Developer's
Reference only talks about the detached symbol case.

I agree with Neil that a warning for packages that have the full library
object code under eg. /usr/lib/debug/usr/lib would be nice. OTOH, if
#461350 is implemented, those should also trigger the missing-dep-on-libc
error, since dh_shlibdeps doesn't look at the files.

FWIW, I can't find any usr/lib/debug subdirectories in the archive other than 
the following:

sid% apt-file search -x 'usr/lib/debug/.*/' | egrep -v 'usr/lib/debug/(lib|usr|bin|emul|sbin)/' 
sid%

which makes even the /usr/lib/debug/$package case look far-fetched.

Cheers,
-- 
Niko Tyni   ntyni@debian.org




Tags added: pending Request was from www-data <www-data@wolffelaar.nl> to control@bugs.debian.org. (Tue, 05 Feb 2008 04:57:02 GMT) Full text and rfc822 format available.

Message sent on to Neil Williams <codehelp@debian.org>:
Bug#462456. Full text and rfc822 format available.

Message #20 received at 462456-submitter@bugs.debian.org (full text, mbox):

From: www-data <www-data@wolffelaar.nl>
To: control@bugs.debian.org, 462456-submitter@bugs.debian.org
Subject: Lintian bugs fixed in revision r1177
Date: Tue, 05 Feb 2008 05:54:45 +0100
package lintian
# Fixed in r1177 by rra
tag 462456 + pending
thanks

These bugs are fixed in revision 1177 by rra
Log message:
  + [RA] Check files in /usr/lib/debug directories mirroring the main
    file system to verify they are detached debugging symbols and not
    full libraries or executables.  Thanks, Neil Williams and Niko
    Tyni.  (Closes: #462456)






Reply sent to Russ Allbery <rra@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Neil Williams <codehelp@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #25 received at 462456-close@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: 462456-close@bugs.debian.org
Subject: Bug#462456: fixed in lintian 1.23.43
Date: Wed, 06 Feb 2008 06:47:04 +0000
Source: lintian
Source-Version: 1.23.43

We believe that the bug you reported is fixed in the latest version of
lintian, which is due to be installed in the Debian FTP archive:

lintian_1.23.43.dsc
  to pool/main/l/lintian/lintian_1.23.43.dsc
lintian_1.23.43.tar.gz
  to pool/main/l/lintian/lintian_1.23.43.tar.gz
lintian_1.23.43_all.deb
  to pool/main/l/lintian/lintian_1.23.43_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 462456@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Russ Allbery <rra@debian.org> (supplier of updated lintian package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 05 Feb 2008 21:07:30 -0800
Source: lintian
Binary: lintian
Architecture: source all
Version: 1.23.43
Distribution: unstable
Urgency: low
Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
Changed-By: Russ Allbery <rra@debian.org>
Description: 
 lintian    - Debian package checker
Closes: 273309 377392 458164 458742 458785 459502 459509 459514 459787 459851 459871 460168 460347 460499 460625 460731 460964 460966 461350 461822 461823 461978 461982 462065 462456 462586 462601 462635 463028 463138 463142 463281 463476 464026
Changes: 
 lintian (1.23.43) unstable; urgency=low
 .
   The "37 bug fixes is enough for one release" release.
 .
   * checks/binaries{.desc,}:
     + [RA] Don't require objdump's errors on files with bad dynamic tables
       to start at the beginning of the line.  Patch from Chris Lamb.
       (Closes: #459509)
     + [RA] Warn for packages that have binaries requiring libc but which
       don't depend on libc.  Patch from Niko Tyni.  (Closes: #461350)
     + [RA] Remove check for libc5 binaries.  libc5 is long-gone.
     + [RA] Remove various dead tag descriptions we no longer issue.
     + [RA] Warn on packages that provide Perl modules but don't depend on
       perlapi-*.  Thanks, Niko Tyni.  (Closes: #463142)
     + [RA] Check files in /usr/lib/debug directories mirroring the main
       file system to verify they are detached debugging symbols and not
       full libraries or executables.  Thanks, Neil Williams and Niko
       Tyni.  (Closes: #462456)
   * checks/changelog-file:
     + [RA] Decode the changelog entry from UTF-8 before doing length
       checks.  Thanks, Cyril Brulebois.  (Closes: #461822)
     + [RA] Check for mismatches between the latest changelog and
       NEWS.Debian entries if they're for the same package version.
       Thanks, Cyril Brulebois.  (Closes: #461823)
   * checks/common_data.pm:
     + [RA] Add Bugs, Origin, and Breaks to known binary and udeb fields
       and Bugs to known source fields, matching current dpkg.  Thanks,
       Raphaël Hertzog.  (Closes: #459787)
   * checks/debhelper:
     + [RA] CDBS now defaults to a debhelper compatibility level of V5.
     + [FL] Update list of debhelper commands that modify maintainer
        scripts. Add dh_icons, dh_installudev, dh_pysupport, dh_pycentral
        and rename dh_installtexfonts to dh_installtex.
     + [RA] Add checks for versioned debhelper dependencies for dh_icons
       and dh_installifupdown.  Thanks, Evgeni Golov.  (Closes: #463028)
   * checks/fields{.desc,}:
     + [RA] The CDBS ant rules are in class, not rules.  Thanks, Cyril
       Brulebois.  (Closes: #460168)
     + [RA] Versioned Python dependencies satisfy a Python debian/rules
       requirement.  Add a separate tag for Python build dependencies to
       explain the dependency possibilities.  Ignore dh_python if
       debian/pyversion or a Python-Version control field are present.
       Thanks, Loïc Minier.  (Closes: #460625)
     + [RA] Check that -dbg packages depend on their base package.  Patch
       from Chris Lamb.  (Closes: #458785)
     + [RA] Check the value of Dm-Upload-Allowed.
     + [RA] Warn about packages with a list as the maintainer and no
       Uploaders.  Thanks, Sune Vuorela.  (Closes: #462635)
     + [RA] Remove the package-has-duplicate-relation test.  It gets
       relations with different version strictness in different levels of
       dependency wrong and what it gets right dpkg-gencontrol strips out.
   * checks/files{.desc,}:
     + [RA] In many of the long descriptions for symlink-related tags,
       mention that running dh_link will fix symlink problems.
     + [RA] Fix a long-standing error in the regex checking for *.desktop
       files in /usr/share/gnome/apps that caused the tag to never be
       issued.  Remove the check for /usr/share/applnk, since obsolete or
       not KDE appears to actively use it still.
     + [RA] Check for *.devhelp{2,} files not linked into devhelp's search
       path.  Based on a patch by Bradley Smith.  (Closes: #273309)
     + [RA] Warn about /etc/cron.{hourly,daily,weekly,monthly} scripts that
       won't be executed by run-parts because of periods in the name.
       Patch from Chris Lamb.  (Closes: #458742)
     + [RA] Warn of .gitignore files installed by the package.  Patch from
       Chris Lamb.  (Closes: #459502)
     + [RA] Warn of more language extensions on files in the user's path.
       Patch from Chris Lamb.  (Closes: #459514)
     + [RA] Remove the tag for empty Perl directories.  The underlying
       issue is fixed in Perl 5.10; there's no need to add code to
       debian/rules when 5.10 is landing soon.  (Closes: #463138)
   * checks/infofiles:
     + [RA] Don't issue unknown-intepreter for maintainer scripts with
       weird interpreters.  checks/scripts already handles this and the tag
       wasn't defined.  Thanks, Thijs Kinkhorst.  (Closes: #460964)
     + [RA] Fix Perl warnings given a zero-byte maintainer script.  Thanks,
       Thijs Kinkhorst.  (Closes: #460966)
   * checks/init.d{.desc,}:
     + [RA] Downgrade a missing LSB Short-Description keyword to info since
       it's not required for functionality.  Thanks, Petter Reinholdtsen.
       (Closes: #460499)
   * checks/manpages{.desc,}:
     + [RA] Make hyphen-used-as-minus-sign more conservative to avoid false
       positives with non-ASCII text and catch hyphens at the start of
       lines.  Thanks, Michal Čihař.  (Closes: #459871)
     + [CW] Use man's new --warnings option to catch use of undefined
       strings, macros, or diversions in manual pages, which usually indicate
       mistaken use of "." or "'" at the start of a line. This check is only
       enabled if man 2.5.1 or later is installed.  (Closes: #377392)
   * checks/menu-format:
     + [RA] Avoid a Perl warning for desktop entries without Exec.
     + [RA] Fix a bug that prevented Exec keys in desktop files from being
       checked at all.  Thanks, Raphael Geissert.  (Closes: #462601)
     + [RA] Exempt packages providing the su wrappers from the check for
       using su-to-root.  Thanks, Raphael Geissert.
   * checks/menus:
     + [RA] Don't issue unknown-interpreter for maintainer scripts with
       weird interpreters.
     + [RA] Fix Perl warnings given a zero-byte maintainer script.
   * checks/po-debconf:
     + [RA] Exclude from not-using-po-debconf template files with only the
       shared templates used for coordination with dictionaries-common.
       Thanks, Thomas Bushnell BSG.  (Closes: #460731)
   * checks/rules.desc:
     + [RA] To fix an ignores-make-clean-error, suggest removing "-" for
       static makefiles.  Thanks, Andrea Colangelo.  (Closes: #458164)
   * checks/scripts{.desc,}:
     + [RA] Re-add php4-cli as a valid interpreter for those who want to
       maintain stable compatibility.  Thanks, Thomas Goirand.
     + [RA] Be clearer in the tag name that php-cli dependencies should be
       versioned.  Add more explanation to the long description of several
       interpreter tags about limitations and requested bug filings.
     + [RA] Remove tcl as a valid interpreter since tclx8.3 is obsolete.
       (tclsh is the standard interpreter name.)
     + [RA] Require versioned dependencies for OCaml scripts.  Each version
       is ABI-incompatible.  Thanks, Samuel Mimram.  (Closes: #462065)
     + [RA] Add tcl and tk metapackages.  Thanks, Sergei Golovan.
       (Closes: #463281)
     + [RA] Catch exec wrappers that use $* instead of $@ (not that this is
       a good idea).  Thanks, Adam D. Barratt.  (Closes: #463476)
     + [RA] Integrate several more bashism checks from checkbashisms in
       devscripts.  Patch from Adam D. Barratt.  (Closes: #464026)
 .
   * debian/control:
     + [RA] Suggest man-db >= 2.5.1 for better warning support.
     + [RA] Wrap Uploaders.
 .
   * frontend/lintian:
     + [RA] Include info tags in the broken-down description of the
       override count since they're included in the total.  Based on a
       patch by Chris Lamb.  (Closes: #459851)
     + [RA] Don't try to report overrides when not checking a package.
       Thanks, Håkon Stordahl.  (Closes: #461978)
     + [RA] Cope with a relative path to the lab.  Patch from Håkon
       Stordahl.  (Closes: #461982)
     + [RA] Don't require *.changes files for source-only uploads to have a
       Description field.  Thanks, Cyril Brulebois.  (Closes: #462586)
 .
   * lib/Spelling.pm:
     + [RA] Add spelling corrections for PostgreSQL and OCaml and lots of
       new capitalization corrections.  (Closes: #460347)
Files: 
 d124d7752ccb9bd39612f0ab6920016d 904 devel optional lintian_1.23.43.dsc
 ad139b1091a3f8f9c80bcd021b89a48f 385135 devel optional lintian_1.23.43.tar.gz
 8779b8c012622fb9c5fa9305e190bb93 318858 devel optional lintian_1.23.43_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHqVGY+YXjQAr8dHYRArwaAJ42rDLMYNRdwBFM4XGk+gbEp2AF1gCeOv2y
Ahk4hHk45fRbAnjR3JA/KX0=
=OSLm
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 06 Mar 2008 07:36:06 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 00:31:24 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.