Bug#797858: devscripts: build-rdeps does not work for any but the most trivial dependency situatinos

Johannes Schauer josch at debian.org
Thu Sep 3 05:08:21 UTC 2015 

Package: devscripts
Version: 2.15.8
Severity: important
Tags: patch

Hi,

the only situation in which build-rdeps works reliably is if

 - the source package specifies "Build-Depends: foo"
 - foo is a real package
 - all source packages using foo directly depend on it
 - foo is Multi-Arch:no

the reality though is more complicated:

 - the source package might have version restrictions in its
   Build-Depends
 - the source package might have architecture restrictions in its
   Build-Depends
 - the source package might have build profile restrictions in its
   Build-Depends
 - the source package might not directly but only indirectly
   (transitively) depend on foo (in which case all complications of
   binary package relationships are added to the mix)
 - foo might be a virtual package
 - foo might be part of a dependency alternative "A|foo"
 - foo is not Multi-Arch:no and a crossbuild is required

To do a quantitative check of how often the simple "grep-like" mode of
operation that build-rdeps currently uses generates wrong results, lets
compare the capability of build-rdeps to find reverse dependencies with
the one of dose-ceve.  Since dose3 is used by wanna-build we expect that
it correctly implements all dependency relationships used in Debian and
can thus serve as a ground truth.

For this endeavour we first generate the list of all binary packages
that are transitively build-depend upon by any source package in Debian:

grep-dctrl '' Sources -n -s Package | sort -u | sed 's/^/src:/' \
	| xargs --max-chars=10000 echo | tr ' ' ',' \
	| xargs --max-args=1 -I{} dose-ceve -T deb -G pkg \
		--deb-native-arch=amd64 -c {} \
		debsrc://Sources deb://Packages \
	| grep-dctrl -n -s Package '' | sort -u

According to the above, there are 17107 binary packages that are part of
a source package dependency closure.

Then, for each of these binary packages, we calculate the source
packages in its reverse dependencies in two ways. First, with a nearly
unmodified (only sorting was added to allow easy comparison) build-rdeps
script and then secondly with the build-rdeps script with dose-ceve
support (patch attached).

The result is that:

 - 6390 (37%) binary packages have the same reverse build dependencies
 - 10717 (63%) binary packages have differing reverse build dependencies

If we indeed assume that dose3 can serve as a ground truth, then we can
conclude that build-rdeps calculates wrong reverse build dependencies
for 63% of all binary packages that it makes sense to ask this question.

This is my justification for making this patch of important severity.

To fix this problem I propose the attached patch.

If dose-ceve is installed (and new enough) then build-rdeps will use it
to calculate the reverse build dependencies of a binary packages. If
dose-ceve is not installed (or too old) then it will warn that it will
use the old unreliable behavior instead.

If dose-ceve is installed (and new enough) then the old behaviour can be
forced with the --without-ceve command line argument.

Additionally, the command line options --host-arch and --build-arch can
be used to set host and build architecture for resolving cross build
reverse build dependencies. This is possible because dose-ceve
understands multiarch.

Thanks!

cheers, josch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-scripts-build-rdeps.pl-add-dose-ceve-support.patch
Type: text/x-diff
Size: 11483 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/devscripts-devel/attachments/20150903/84f80a08/attachment.patch>

More information about the devscripts-devel mailing list