Bug#1012432: lintian: improve explanation of package-name-doesnt-match-sonames to prevent SONAME bumps without changing the package name

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1012432: lintian: improve explanation of package-name-doesnt-match-sonames to prevent SONAME bumps without changing the package name
From: Johannes Schauer Marin Rodrigues <josch@debian.org>
Date: Tue, 07 Jun 2022 07:45:59 +0200
Message-id: <[🔎] 165458075901.410133.11613345022793099836.reportbug@localhost>
Reply-to: Johannes Schauer Marin Rodrigues <josch@debian.org>, 1012432@bugs.debian.org

Source: lintian
Version: 2.114.0
Severity: normal
X-Debbugs-Cc: josch@debian.org

Hi,

currently, the explanation of package-name-doesnt-match-sonames reads:

N:   The package name of a library package should usually reflect the soname of the included
N:   library. The package name can determined from the library file name with the following code
N:   snippet:
N:
N:    $ objdump -p /path/to/libfoo-bar.so.1.2.3 | sed -n -e's/^[[:space:]]*SONAME[[:space:]]*//p' | \
N:        sed -r -e's/([0-9])\.so\./\1-/; s/\.so(\.|$)//; y/_/-/; s/(.*)/\L&/'

I think this can be improved. Firstly, the text above talks about
"should" but policy §8.1 talks about "must":

> The run-time shared library must be placed in a package whose name changes
> whenever the SONAME of the shared library changes.

The tag explanation also misses why this is important which is also
explained by policy §8.1:

> This allows several versions of the shared library to be installed at
> the same time, allowing installation of the new version of the shared
> library without immediately breaking binaries that depend on the old
> version.

Maybe amend the explanation of the tag with text from policy, turning a
"should" into a "must" or directly reference the first paragraph of
§8.1. The use of "should" in the current explanation doesn't give much
reason why one should not override this tag.

Secondly, using this tag easily leads to mistakes when upstream *does*
bump the SONAME but if the maintainer overrode this tag will do an
upload without changed package name. This happened for example recently
in #1012407 or in #1010536.

In #debian-devel, Simon McVittie two ways to prevent this from happening
in the future. Since lintian cannot detect the intent of the developer,
I think it would make sense to extend the description of the tag to
inform the developer about the possible consequences of overriding this
tag and what they can do to prevent bugs like #1012407 or #1010536 to
happen in the future. The hope is that by giving more context in the tag
description, maintainers who want to override this tag, also will take
extra action to prevent bad uploads. Simon McVittie presented two
possible solutions:

1. override the entire lintian tag, not just the tag name

Instead of writing:

> libfooXX: package-name-doesnt-match-sonames

write (for example when overriding because of bundling):

> libfooXX: package-name-doesnt-match-sonames libbarXX libbazXX

That way, should XX change, the tag will not match anymore and the
developer would get a lintian warning. This is done for example in
src:glib2.0 d/libglib2.0-0.lintian-overrides.

2. use fully qualified names in d/*.install

Instead of writing:

> usr/lib/*/libfoo*.so.*

write:

> usr/lib/*/libfoo-XX.so.Y
> usr/lib/*/libfoo-XX.so.Y.*

That way, should the SONAME change, the wildcard would no longer match
and the maintainer would receive an error and has to investigate the
situation.

I propose the following new explanation for
package-name-doesnt-match-sonames:


N:   The run-time shared library must be placed in a package whose name changes
N:   whenever the SONAME of the shared library changes.
N:   This allows several versions of the shared library to be installed at
N:   the same time, allowing installation of the new version of the shared
N:   library without immediately breaking binaries that depend on the old
N:   version. See policy §8.1 for details.
N:
N:   If you decide to override this tag, please consider adding measures to
N:   prevent you from accidentally forgetting to change the shared library
N:   package name in case an SONAME bump happens in the future. So instead of
N:   adding an override like:
N:
N:       libfoo-bar: package-name-doesnt-match-sonames
N:
N:   override the entire lintian tag with version numbers:
N:
N:       libfoo-bar: package-name-doesnt-match-sonames libbarXX libbazXX
N:
N:   Additionally, consider explicitly adding version numbers instead of
N:   wildcards into your d/lib*.install. That way, you will get an error should
N:   the SONAME change in the future. Instead of writing:
N:
N:       usr/lib/*/libfoo*.so.*
N:
N:   write:
N:
N:       usr/lib/*/libfoo-bar.so.Y
N:       usr/lib/*/libfoo-bar.so.Y.*
N:
N:   The package name can determined from the library file name with the following code snippet:
N:
N:    $ objdump -p /path/to/libfoo-bar.so.1.2.3 | sed -n -e's/^[[:space:]]*SONAME[[:space:]]*//p' | \
N:        sed -r -e's/([0-9])\.so\./\1-/; s/\.so(\.|$)//; y/_/-/; s/(.*)/\L&/'


Thanks!

cheers, josch

Reply to:

Prev by Date: Bug#982456: lintian: systemd SystemCallArchitectures directive incompatible with M-A:foreign
Next by Date: Vital notification e mail to all business companions
Previous by thread: Bug#982456: lintian: systemd SystemCallArchitectures directive incompatible with M-A:foreign
Next by thread: Vital notification e mail to all business companions
Index(es):
- Date
- Thread