Use virtual package mechanism for BoringSSL package #686
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Why alternative packages are not good ------------------------------------- Alternative package dependencies are great, but they have several issues for the use case we need. First of all, 'boolean package dependencies' are not supported on CentOS 7 which we need to support. RPM >= 4.13 is required to build *and* install such packages correctly [1]. Unfortunately, CentOS 7 uses RPM 4.11 so we're out of luck here. [1]: https://rpm.org/user_doc/boolean_dependencies.html The second issue is that if some other package previously depended on, say, "libthemis (>= 0.13)", the new "libthemis-boringssl" cannot satisfy that depenency. It is able to, but the package manager will not allow it to be installed for it is not "libthemis". What is the alternative to them? (heh) -------------------------------- Alternative (boolean) package dependencies may work for our packages since we make them to, but they won't work for other packages. In fact, alternative dependencies are not the best solution here. We would like the BoringSSL flavor to be able to stand in for the OpenSSL flavor because it provides the same API and ABI. dpkg and RPM have a mechanism for this -- the "Provides" field in the package specs. "Provides", "Conflicts", and "Replaces" --------------------------------------- If BoringSSL package *provides* "libthemis" then it can satify the need for "libthemis" of any other package, like "libthemis-jni", for example. Similarly, "libthemis-boringssl-dev" provides "libthemis-dev". Note, however, that "libthemis" and "libthemis-boringssl" are still mutually exclusive so they need to conflict with each other. In fact, all flavors of "libthemis" conflict with each other and the same is true for the development packages as well. In addition to that, if we declare them as *replacing* one other, the package manager will be able to tell that it can remove the old conflicting package and install an alternative to it, without bothering the user. Caveats ------- FPM discards versioning information from "--provides" arguments. While RPM does not seem to have any issues with that, dpkg does have issues which break conflict resolution if the provided versions are not specificed. We have to insert DEB fields directly to fix this. Otherwise the users will see the following errors dpkg: dependency problems prevent configuration of libthemis-jni: libthemis-jni depends on libthemis (>= 0.13.0+xenial); however: Package libthemis is not installed. Version of libthemis on system, provided by libthemis-boringssl:amd64, is <none>. dpkg: error processing package libthemis-jni (--install): dependency problems - leaving unconfigured when installing packages that depend on "libthemis" when it is replaced by "libthemis-boringssl". Remaining issues ---------------- Although packages can replace each other, there are still some issues with that. For example, on Debian I am not able to cleanly replace both "libthemis" and "libthemis-dev" simultaneously with "libthemis-boringssl" and "libthemis-boringssl-dev", while it is still to do it one package at a time, if done in correct order. RPM on the other had is fine. Also, it is currently possible to install "libthemis-boringssl" and "libthemis-dev" simultaneously without conflicts. While technically it still works, this may be surprising for the users, especially if they try building something with static libraries. It would be nice to disallow such installation in some way.
On some systems (e.g., Ubuntu 16.04) the "libssl-dev" package depends
not only on "libsslX.Y.Z", but on other packages too ("zlib1g" in the
casse of Ubuntu). The current spell for finding out the name of the
OpenSSL library package does not take that into account, and this leads
to incorrect command line passed to FPM.
Improve the spell to react only on "libssl" packages, which there should
be only one in the dependency list.
ilammy
added
core
|
Here's a diagram of the new package interdependencies to make it more clear what the hell does this PR do:
I thought about outlining how this works with later upgrades, but it became so complex that I scrapped the idea. |
vixentael
approved these changes
Aug 3, 2020
shadinua
approved these changes
Aug 12, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Buildbot started failing to build development packages after PRs #682 and #683 have been merged into master. This PR resolves the issues that cause the failures, and improves BoringSSL packaging a bit.
Why alternative packages are not good
Alternative package dependencies are great, but they have several issues for the use case we need. First of all, 'boolean package dependencies' are not supported on CentOS 7 which we need to support. RPM >= 4.13 is required to build and install such packages correctly. Unfortunately, CentOS 7 uses RPM 4.11 so we're out of luck here.
The second issue is that if some other package previously depended on, say,
libthemis (>= 0.13), the newlibthemis-boringsslcannot satisfy that dependency. It is able to, but the package manager will not allow it to be installed for it is notlibthemis.What is the alternative to them? (heh)
Alternative (boolean) package dependencies may work for our packages since we make them to, but they won't work for other packages.
In fact, alternative dependencies are not the best solution here. We would like the BoringSSL flavor to be able to stand in for the OpenSSL flavor because it provides the same API and ABI. dpkg and RPM have a mechanism for this – the
Providesfield in the package specs.Provides,Conflicts, andReplacesIf BoringSSL package provides
libthemisthen it can satisfy the need forlibthemisof any other package, likelibthemis-jni, for example. Similarly,libthemis-boringssl-devcan stand in forlibthemis-dev.Note, however, that
libthemisandlibthemis-boringsslare still mutually exclusive so they need to conflict with each other. In fact, all flavors oflibthemisconflict with each other and the same is true for the development packages as well.In addition to that, if we declare them as replacing one other, the package manager will be able to tell that it can remove the old conflicting package and install an alternative to it, without bothering the user.
Caveats
FPM discards versioning information from
--providesarguments. While RPM does not seem to have any issues with that, dpkg does have issues which break conflict resolution if the provided versions are not specified. We have to insert DEB fields directly to fix this. Otherwise the users will see the following errorswhen installing packages that depend on
libthemiswhen it is replaced bylibthemis-boringssl.Remaining issues
Although packages can replace each other, there are still some issues with that. For example, on Debian I am not able to cleanly replace both
libthemisandlibthemis-devsimultaneously withlibthemis-boringsslandlibthemis-boringssl-dev, while it is still possible to do it one package at a time, if done in correct order. RPM on the other hand is fine.Also, it is currently possible to install
libthemis-boringsslandlibthemis-devsimultaneously without conflicts. While technically it still works, this may be surprising for the users, especially if they try building something with static libraries. It would be nice to disallow such installation in some way.OpenSSL dependency fix for Ubuntu 16.04
On some systems (e.g., Ubuntu 16.04) the
libssl-devpackage depends not only onlibsslX.Y.Z, but on other packages too (zlib1g-devin the case of Ubuntu). The current spell for finding out the name of the OpenSSL library package does not take that into account, and this leads to incorrect command line passed to FPM.Improve the spell to react only on
libsslpackages, which there should be only one in the dependency list.Checklist