Feedback wanted for a proposed improvement to RPM's ELF dependency generator
Following a recent thread on the Fedora devel@ mailing list discussing a reproducible failure caused by mismatched library interfaces, I proposed a change to the RPM ELF dependency generator. After discussion in the PR, I've provided an implementation suggested by keszybz@ which would use the "full name" versions collected from library filenames to provide versioned library requirements. Before merging that feature, RPM's maintainers are interested in feedback from a wider audience. If the feature linked below is merged into rpm, would SUSE be interested in using it? Do you have any suggestions to improve the feature, before it's merged? Discussion of the rpm problem: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/... Discussion of the proposed feature: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/... Implementation of the proposed feature: https://github.com/rpm-software-management/rpm/pull/2372
Is the issue Fedora specific? Has the issue been seen in OpenSuse/Suse? Sent from my iPad Begin forwarded message:
From: Gordon Messmer
Date: February 25, 2023 at 23:11:12 EST To: factory@lists.opensuse.org Subject: Feedback wanted for a proposed improvement to RPM's ELF dependency generator Following a recent thread on the Fedora devel@ mailing list discussing a reproducible failure caused by mismatched library interfaces, I proposed a change to the RPM ELF dependency generator. After discussion in the PR, I've provided an implementation suggested by keszybz@ which would use the "full name" versions collected from library filenames to provide versioned library requirements. Before merging that feature, RPM's maintainers are interested in feedback from a wider audience.
If the feature linked below is merged into rpm, would SUSE be interested in using it? Do you have any suggestions to improve the feature, before it's merged?
Discussion of the rpm problem: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/...
Discussion of the proposed feature: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/...
Implementation of the proposed feature: https://github.com/rpm-software-management/rpm/pull/2372
On 2023-02-26 07:03, Emanuel Castelo wrote:
Is the issue Fedora specific? Has the issue been seen in OpenSuse/Suse?
I haven't looked over package evolution in any SUSE release, but it's not a Fedora-specific issue. Any release that permits minor-version updates (feature updates) in dependencies within a stable release will have the problem that I'm proposing to solve. Fedora saw the problem because nghttp2 updated from version 1.49 to 1.50, which introduced a new function, and later rebuild libsoup3 to make use of it. If a user had a fresh minimal installation of Fedora, they'd have the original version of libnghttp2 and no libsoup3. If they then installed any app that depended on libsoup3, that application would fail to start, because rpm doesn't have enough information to know that the current libsoup3 requires libnghttp2 >= 1.50. (There is a Fedora-specific issue involved, in that "modularity" makes it more likely for Fedora systems to have updated libsoup3 but not libnghttp2.)
Hello, On Sun, Feb 26, 2023 at 10:03:58AM -0500, Emanuel Castelo wrote:
Is the issue Fedora specific? Has the issue been seen in OpenSuse/Suse?
It's specific to the rpm dependency generator. So long as it is used in opneSUSE/SUSE and not completely replaced by external one it affects how dependencies are generated. This breaks compat libraries. The ones that were mentioned are libsdl-compat and PipeWire-JACK, other potential candidates are OpenGL libraries although those may be using hand-crafted dependencies anyway. The other problem is that this requires rebuilding the world because the dependencies are not backwards compatible. With Leap inheriting packages built on ancient SLE versions we cannot enable this. This would then only work for Factory and ALP that can still be rebuilt. For backward compatibility it would be necessary to figure out if the package providing the library already has the new style dependey, and generete the new style dependency only when it does. FWIW Debian actually tracks which symbols are available in which library version and generates dependencies based on the symbols used and the library version in which they appeared. That means that binary built against newest library version that only uses ancient functions still depends on acient version of the library. This also does not work well with compatibility libraries. Thanks Michal
Sent from my iPad
Begin forwarded message:
From: Gordon Messmer
Date: February 25, 2023 at 23:11:12 EST To: factory@lists.opensuse.org Subject: Feedback wanted for a proposed improvement to RPM's ELF dependency generator Following a recent thread on the Fedora devel@ mailing list discussing a reproducible failure caused by mismatched library interfaces, I proposed a change to the RPM ELF dependency generator. After discussion in the PR, I've provided an implementation suggested by keszybz@ which would use the "full name" versions collected from library filenames to provide versioned library requirements. Before merging that feature, RPM's maintainers are interested in feedback from a wider audience.
If the feature linked below is merged into rpm, would SUSE be interested in using it? Do you have any suggestions to improve the feature, before it's merged?
Discussion of the rpm problem: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/...
Discussion of the proposed feature: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/...
Implementation of the proposed feature: https://github.com/rpm-software-management/rpm/pull/2372
On 2023-02-26 09:46, Michal Suchánek wrote:
This breaks compat libraries. The ones that were mentioned are libsdl-compat and PipeWire-JACK, other potential candidates are OpenGL libraries although those may be using hand-crafted dependencies anyway.
Certainly, it'll require additional steps on the package maintainer's part (and possibly upstream) to indicate what ABI version the compat library actually provides. This might be a biased perspective, but I think that this change recognizes that the ABI version is a thing that a compatibility library should match, in addition to the exported symbols.
The other problem is that this requires rebuilding the world because the dependencies are not backwards compatible. With Leap inheriting packages built on ancient SLE versions we cannot enable this.
This would then only work for Factory and ALP that can still be rebuilt. For backward compatibility it would be necessary to figure out if the package providing the library already has the new style dependey, and generete the new style dependency only when it does.
I can discuss the possibility of querying the rpm DB from the generator (or possibly storing some indication of a versioned provide: in the filesystem) with the RPM developers. Would the change be more interesting if that feature were included?
FWIW Debian actually tracks which symbols are available in which library version and generates dependencies based on the symbols used and the library version in which they appeared.
I've looked briefly at dpkg dependencies, and didn't see that. How would I view that information in a dpkg file? How does the dpkg dependency generator know what version the symbols appeared in?
On Sun, Feb 26, 2023 at 11:36:09AM -0800, Gordon Messmer wrote:
On 2023-02-26 09:46, Michal Suchánek wrote:
The other problem is that this requires rebuilding the world because the dependencies are not backwards compatible. With Leap inheriting packages built on ancient SLE versions we cannot enable this.
This would then only work for Factory and ALP that can still be rebuilt. For backward compatibility it would be necessary to figure out if the package providing the library already has the new style dependey, and generete the new style dependency only when it does.
I can discuss the possibility of querying the rpm DB from the generator (or possibly storing some indication of a versioned provide: in the filesystem) with the RPM developers. Would the change be more interesting if that feature were included?
It would be more feasible to include as an update. If tehre is interest from release managers and rpm tool maintainers is a separate question.
FWIW Debian actually tracks which symbols are available in which library version and generates dependencies based on the symbols used and the library version in which they appeared.
I've looked briefly at dpkg dependencies, and didn't see that. How would I view that information in a dpkg file? How does the dpkg dependency generator know what version the symbols appeared in?
It's stored in the package sources, and checked, and updated during package build: https://salsa.debian.org/systemd-team/systemd/-/blob/debian/master/debian/li... https://www.debian.org/doc/debian-policy/ch-sharedlibs.html#the-symbols-syst... Thanks Michal
On Sunday 2023-02-26 16:03, Emanuel Castelo wrote:
Is the issue Fedora specific? Has the issue been seen in OpenSuse/Suse?
No. Yes, regularly. (e.g. https://bugzilla.suse.com/show_bug.cgi?id=903974 )
On Sun, Feb 26, Jan Engelhardt wrote:
On Sunday 2023-02-26 16:03, Emanuel Castelo wrote:
Is the issue Fedora specific? Has the issue been seen in OpenSuse/Suse?
No. Yes, regularly. (e.g. https://bugzilla.suse.com/show_bug.cgi?id=903974 )
This sounds like it would be more usefull to teach this projects (correct) symbol versioning for libraries... Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect, Future Technologies SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nuernberg, Germany Managing Director: Ivo Totev, Andrew Myers, Andrew McDonald, Martje Boudien Moerman (HRB 36809, AG Nürnberg)
On Sonntag, 26. Februar 2023 19:05:22 CET Thorsten Kukuk wrote:
On Sun, Feb 26, Jan Engelhardt wrote:
On Sunday 2023-02-26 16:03, Emanuel Castelo wrote:
Is the issue Fedora specific? Has the issue been seen in OpenSuse/Suse?
No. Yes, regularly. (e.g. https://bugzilla.suse.com/show_bug.cgi?id=903974 )
This sounds like it would be more usefull to teach this projects (correct) symbol versioning for libraries...
In general, fully agree. From a practical stand point, this is not as easy as it sounds, as projects are often reluctant to do the extra work this causes (though, most of it, is one time only). Though, sometimes it actually works, e.g. [1]. Regards, Stefan [1] https://github.com/samtools/htslib/issues/1505 -- Stefan Brüns / Bergstraße 21 / 52062 Aachen phone: +49 241 53809034 mobile: +49 151 50412019
On 2023-02-26 10:05, Thorsten Kukuk wrote:
This sounds like it would be more usefull to teach this projects (correct) symbol versioning for libraries...
Yes, versioned symbols are preferred, and I make that point in the documentation for the feature I'm proposing. But waiting for library maintainers to version their symbols has not resolved the problem yet, and I think we should be taking steps to address the problem while we continue waiting on them.
On Sonntag, 26. Februar 2023 05:10:52 CET Gordon Messmer wrote:
Following a recent thread on the Fedora devel@ mailing list discussing a reproducible failure caused by mismatched library interfaces, I proposed a change to the RPM ELF dependency generator. After discussion in the PR, I've provided an implementation suggested by keszybz@ which would use the "full name" versions collected from library filenames to provide versioned library requirements. Before merging that feature, RPM's maintainers are interested in feedback from a wider audience.
If the feature linked below is merged into rpm, would SUSE be interested in using it? Do you have any suggestions to improve the feature, before it's merged?
The correct way to fix this is proper symbol versioning. Unfortunately, too few projects make use of it. But enabling this in general would be a major step backwards for all projects which *do* use symbol versioning, and all dependent packages. This also would not work in general, as some projects may add symbols without changing the "fullname". The current approach on openSUSE for these packages currently is one of: 1. Ignore it 2. Change the SONAME so it include the full version (1. often happens because nobody is affected, or nobody reports it.) I think this is only useful as an opt-in. In case a library is known to miss proper symbol versioning, the package maintainer(s) can select this behavior. This would get rid of the (open)SUSE specific patches for (2.) above. Regards, Stefan -- Stefan Brüns / Bergstraße 21 / 52062 Aachen phone: +49 241 53809034 mobile: +49 151 50412019
On 2023-02-26 10:12, Stefan Brüns wrote:
The correct way to fix this is proper symbol versioning. Unfortunately, too few projects make use of it.
Yes, I agree. Versioned symbols are preferred, and the documentation for this proposal states that.
But enabling this in general would be a major step backwards for all projects which *do* use symbol versioning, and all dependent packages.
This feature doesn't change dependency generation for libraries that use versioned symbols, because those are already well handled. It only affects libraries that don't use versioned symbols.
This also would not work in general, as some projects may add symbols without changing the "fullname".
You're right, that this wouldn't be a 100% reliable solution. About 10% of all libraries in Fedora's repos appear to use version "0.0.0" in their full name. But a 90% solution is still far better than a 0% solution. I've also proposed a change to rpminspect that would detect an ABI change without a full name version change in order to detect exactly that condition and prevent it from silently rolling out. (I don't know if SUSE is using rpminspect in their build pipeline.)
I think this is only useful as an opt-in. In case a library is known to miss proper symbol versioning, the package maintainer(s) can select this behavior.
Does the fact that it doesn't affect libraries with versioned symbols change your opinion at all?
On Sat, 25 Feb 2023, Gordon Messmer wrote:
Following a recent thread on the Fedora devel@ mailing list discussing a reproducible failure caused by mismatched library interfaces, I proposed a change to the RPM ELF dependency generator. After discussion in the PR, I've provided an implementation suggested by keszybz@ which would use the "full name" versions collected from library filenames to provide versioned library requirements. Before merging that feature, RPM's maintainers are interested in feedback from a wider audience.
If the feature linked below is merged into rpm, would SUSE be interested in using it? Do you have any suggestions to improve the feature, before it's merged?
While I agree with the comments about symbol versioning being the correct
way to fix the issue (and I also think this feature will make projects
adopting that even less likely) it does look like a sensible way to
match reality for projects using libtool like versioning of libraries.
I'd say in practice it should be an opt-in feature for openSUSE, maybe
it can be triggered by CI detecting the actual problem (symbols
newly appearing with the same SONAME and no symbol version but a
changed full name of the library).
One could even hope that upstream libtool could raise awareness
by dumping a file with the actual symbols exported (another big issue
is C++ libraries which tend to export things that are not really
part of their API), projects can put that into their source control
systems and detect changes. libtool could even generate a version
script based on the old version of the file and add new symbols
always to the latest version.
Richard.
--
Richard Biener
On Monday 2023-02-27 09:33, Richard Biener wrote:
If the feature linked below is merged into rpm, would SUSE be interested in using it? Do you have any suggestions to improve the feature, before it's merged?
One could even hope that upstream libtool could raise awareness by dumping a file with the actual symbols exported [...] libtool could even generate a version script based on the old version of the file and add new symbols always to the latest version.
Sounds commendable, but if we fix libtool, then the meson users get it wrong next. Then the cmake users. I'm dreading to think about what to do about all those plain Makefile writers. Interjecting at the distro level is a must-have.
participants (7)
-
Emanuel Castelo
-
Gordon Messmer
-
Jan Engelhardt
-
Michal Suchánek
-
Richard Biener
-
Stefan Brüns
-
Thorsten Kukuk