Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Bug#1014584: lintian: False positive binary-nmu-debian-revision-in-source and source-nmu-has-incorrect-version-number with Ubuntu version

10 views

Skip to first unread message

Alberto Contreras

unread,

Jul 8, 2022, 5:50:04 AM7/8/22

Package: lintian

Version: 2.115.2

When I invoke `lintian` over a package with a version like `22.2-64-g1fcd55d6-0ubuntu1~22.10.1` it emits `binary-nmu-debian-revision-in-source` and `source-nmu-has-incorrect-version-number` source warnings. This looks like a false positive.

Here is a transcript:

We think it could be related to the following

detection: https://salsa.debian.org/lintian/lintian/-/blob/ecc04980869462c5c71f4f71e9b8a71bd5b944b5/lib/Lintian/Check/Fields/Version.pm#L87

regex: https://salsa.debian.org/lintian/lintian/-/blob/ecc04980869462c5c71f4f71e9b8a71bd5b944b5/lib/Lintian/Check/Fields/Version.pm#L65

The warnings happen in:

- Debian 12, lintian 2.115.2

- Debian 11, lintian 2.104.0

- Debian 10, lintian 2.15.0

- Debian 9, lintian 2.5.50.4

I have created a pastebin with a full reproducer: https://pastebin.ubuntu.com/p/85q7kXbZTW/

Axel Beckert

unread,

Jul 8, 2022, 7:40:03 AM7/8/22

Hi,

Alberto Contreras wrote:
> When I invoke `lintian` over a package with a version like
> `22.2-64-g1fcd55d6-0ubuntu1~22.10.1` it emits
> `binary-nmu-debian-revision-in-source` and
> `source-nmu-has-incorrect-version-number` source warnings. This looks like
> a false positive.

[…]

> We think it could be related to the following
> detection:
> https://salsa.debian.org/lintian/lintian/-/blob/ecc04980869462c5c71f4f71e9b8a71bd5b944b5/lib/Lintian/Check/Fields/Version.pm#L87
> regex:
> https://salsa.debian.org/lintian/lintian/-/blob/ecc04980869462c5c71f4f71e9b8a71bd5b944b5/lib/Lintian/Check/Fields/Version.pm#L65

Nope, it's likely
https://salsa.debian.org/lintian/lintian/-/blob/ecc04980869462c5c71f4f71e9b8a71bd5b944b5/lib/Lintian/Check/Fields/Version.pm#L70
which needs to be updated.

Note to myself: There's a similar albeit not identical issue reported
in https://bugs.debian.org/1001399.

Regards, Axel
--
,''`. | Axel Beckert <a...@debian.org>, https://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE

Mattia Rizzolo

unread,

Jul 11, 2022, 2:10:03 PM7/11/22

On Fri, Jul 08, 2022 at 01:34:49PM +0200, Axel Beckert wrote:
> Hi,
>
> Alberto Contreras wrote:
> > When I invoke `lintian` over a package with a version like
> > `22.2-64-g1fcd55d6-0ubuntu1~22.10.1` it emits
> > `binary-nmu-debian-revision-in-source` and
> > `source-nmu-has-incorrect-version-number` source warnings. This looks like

ISTR that source-nmu-* just wasn't issued under ubuntu (i.e. with
--profile=ubutnu), did it start to be issued now? I don't have any
recollection about binary-nmu-*

If I dreamt the whole thing, then perhaps it should be done, because the
concept of NMU doesn't exist in Ubuntu, so the tag as a whole doesn't
make sense.

That said, AFAIK -0ubuntu1~22.10.1 is not a formally documented version
anywhere, though I have seen it a few times.

Alberto: what kind of upload is this? 22.10 is the current dev version,
so it's not some kind of backport. With such context, I can guess that
this is some kind of package that your team is maintianing for multiple
ubuntu branches, in which case I'd expect you to follow the SRU
versioning, which prescribe -0ubuntu0.22.10.1 instead.
https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging

I must also add that using . instead of ~ is fraught with catches, as
documented by, for example, https://lintian.debian.org/tags/dfsg-version-with-period
So I'd advocate a change in that policy, which hasn't been touched for
at least a decade (when I started contributing to ubuntu packages…)

> Note to myself: There's a similar albeit not identical issue reported
> in https://bugs.debian.org/1001399.

♥ Axel :)

--
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
More about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-

signature.asc

Chad Smith

unread,

Jul 12, 2022, 6:40:05 PM7/12/22

Hi Axel and Alberto,


Thanks for the conversation on this issue. I just wanted to add a 
little context to cloud-init's versioning scheme in Ubuntu.



> That said, AFAIK -0ubuntu1~22.10.1 is not a formally documented version
anywhere, though I have seen it a few times.

For lack of a better word, I'll refer to the `~XX.YY.1` as a "diminished version suffix".

The diminished version suffix is typically used in a project to which all applies:
 - the project tends to release an upstream version of a package [1.2.3-0ubuntu1]
   without any diminished version suffix
 - the project publishes the same functional upstream version to stable Ubuntu releases

   18.04, 20.04, 22.04, 22.10 [1.2.3-0ubuntu1~XX.YY.1]

When the stable release version is equivalent, minus debian/* release specific packaging
changes, the package version needs to be able to support an upgrade path where the
development release version is greater than the last stable release version:

 dpkg  --compare-versions 1.2.3-0ubuntu1 gt 1.2.3-0ubuntu1~22.10.1

  So, those projects[1] tend to use the tilde `~` sort order to establish that
the stable release package version ~22.04.1 is considered less than the devel release.

This is more common in Ubuntu packages that have an SRU exception because they are more

likely to publish the same upstream version in multiple Ubuntu releases.


  If these projects were to adopt the dot-delimited .24.10.1 "augmented version suffix",
those projects would also need to ensure that any published version in the Ubuntu
development release also contains that Ubuntu devel series augmented suffix .22.10.1.


The docs we used to come up with this sort ordering using the tilde are here
- https://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-version (debian_revision)
   
"""
 The lexical comparison is a comparison of ASCII values modified so that all the letters
 sort earlier than all the non-letters and so that a tilde sorts before anything,
 even the end of a part. For example, the following parts are in sorted order from
 earliest to latest: ~~, ~~a, ~, the empty part, a
"""


> Alberto: what kind of upload is this?  22.10 is the current dev version,
so it's not some kind of backport.  With such context, I can guess that
this is some kind of package that your team is maintaining for multiple
ubuntu branches

Correct Axel. This is just an upload into the Ubuntu devel release with a release-specific

diminished version syntax. From cloud-init perspective we figured we could provide

Ubuntu release-specific ~XX.YY.1 to ensure all releases carry the same general format suffix.

This way a community contributor wanting build their own deb from upstream direct,
without version suffix, would be able to install the clean upstream release and upgrade

from what is in-distro in ubuntu.

> ISTR that source-nmu-* just wasn't issued under ubuntu (i.e. with
--profile=ubuntu), did it start to be issued now?  I don't have any
recollection about binary-nmu-*

  All said the nmu lintian warnings seemed to have shown up in lintian reports within the
last year. In cloud-init we don't correct our lintian warnings as much as we should, but
we figured we should raise awareness on this issue to get upstream input on how
this should be addressed long term.

Thanks again for helping bring clarity here,

Chad

References

[1] Some Ubuntu packages which use ~XX.YY diminished package version schemes: 
python3-distutils, ca-certificates, curtin, cloud-init, ubuntu-advantage-tools, wslu, libstdc++6

0 new messages