Bug#1053725: apt-listchanges: Shows NEWS for package tor from 2008

[Axel Beckert]

Package: apt-listchanges
Version: 4.0
Severity: normal

Hi,

after the upgrade to 4.0, apt-listchanges showed me this ancient NEWS
when upgrading tor from 0.4.8.6-1 to 0.4.8.7-1.

Reading changelogs... Done
apt-listchanges: News
---------------------

--- News for tor ---

tor (0.2.0.26-rc-1) experimental; urgency=critical

* weak cryptographic keys

It has been discovered that the random number generator in Debian's
openssl package is predictable. This is caused by an incorrect
Debian-specific change to the openssl package (CVE-2008-0166). As a
result, cryptographic key material may be guessable.

See Debian Security Advisory number 1571 (DSA-1571) for more information:
http://lists.debian.org/debian-security-announce/2008/msg00152.html

If you run a Tor server using this package please see
/var/lib/tor/keys/moved-away-by-tor-package/README.REALLY

-- Peter Palfrader <wea...@debian.org> Tue, 13 May 2008 12:49:05 +0200

(press q to quit)

(In this case it even was an especially embarassing topic for Debian...)

Might be related or the same as #1053696 by Russ (X-Debbugs-Cc'ed).


-- Package-specific info:

[Russ Allbery]

Control: merge 1053696 1053725

Axel Beckert <a...@debian.org> writes:

> after the upgrade to 4.0, apt-listchanges showed me this ancient NEWS
> when upgrading tor from 0.4.8.6-1 to 0.4.8.7-1.

[...]

> Might be related or the same as #1053696 by Russ (X-Debbugs-Cc'ed).

Yeah, fairly sure this is the same problem.

--
Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>

[Jonathan Kamens]

Control: unmerge -1

Not the same bug. #1053696 only applies to changelog entries, not NEWS entries, since the latter can't be downloaded via apt.

I am thus far unable to reproduce this. Still investigating.

[Russ Allbery]

Jonathan Kamens <j...@kamens.us> writes:

> Not the same bug. #1053696 only applies to changelog entries, not NEWS
> entries, since the latter can't be downloaded via apt.

> I am thus far unable to reproduce this. Still investigating.

Ah, whoops, sorry, I wasn't reading carefully enough.

[Jonathan Kamens]

OK, this will be fixed in 4.1. Description of the bug and fix, copied from the commit message:

    Bug:
    
    * Main package a has both changelog and NEWS.
    * Subpackage a-sub has identical changelog but no NEWS.
    * Both a and a-sub version 1 are installed but not in database.
    * apt goes to upgrade a and a-sub to version 2.
    * apt-listchanges parses a-sub first, records installed entries under
      package a instead of a-sub, since we were using the package name in
      the changelog entry to determine where in the seen DB to record
      entries.
    * apt-listchanges parses a, sees that there are entries for it in
      database, therefore does not parse installed entries so does not
      notice NEWS entry in installed package.
    * As a result, apt-listchanges displays NEWS entry for a when it
      shouldn't have.
    
    Fix:
    
    * Associate entries with binary package names, not the package name in
      the changelog entry itself.
    * When checking if an entry has already been seen, check across all
      packages, not just the binary package being parsed. To facilitate
      this, the seen database maintains a merged dict of all checksums.

I added a unit test for this case which now passes, and all other unit tests continue to pass with the change described above.

Additional FYI comments below.

On 10/9/23 14:05, Axel Beckert wrote:

Anything I can help? This is a Sid installation running more or less
permanently (besides reboots :-) since May 2016. So the
apt-listchanges database might have seen a few packages. Then again,
it seems rather short for > 14'000 installed packages.

Note that the database is entirely replaced when upgraded from pre-4.0 to 4.x because its format and what we're storing in it are completely different.

BTW, while trying to figure out where that db could be I noticed that
despite 4.0 is installed according to "dpkg -l apt-listchanges", the
tool itself contains a different version number:

  ~ → head -2 /usr/bin/apt-listchanges
  #!/usr/bin/python3
  # EASY-INSTALL-ENTRY-SCRIPT: 'apt-listchanges==3.27','console_scripts','apt-listchanges'

Thanks, fixed this as well.

  jik

[Axel Beckert]

Hi Jonathan,

Jonathan Kamens wrote:
> OK, this will be fixed in 4.1.

Yay, thanks!

> Description of the bug and fix, copied from the commit message:
>
> Bug:
> * Main package a has both changelog and NEWS.
> * Subpackage a-sub has identical changelog but no NEWS.
> * Both a and a-sub version 1 are installed but not in database.
> * apt goes to upgrade a and a-sub to version 2.
> * apt-listchanges parses a-sub first, records installed entries under
> package a instead of a-sub, since we were using the package name in
> the changelog entry to determine where in the seen DB to record
> entries.

Ouch, that seemed rather non-trivial to figure out and reproduce.

> I added a unit test for this case which now passes, and all other unit tests
> continue to pass with the change described above.

Perfect!

> Note that the database is entirely replaced when upgraded from pre-4.0 to
> 4.x because its format and what we're storing in it are completely
> different.

Ok, wasn't sure how relevant its content is. Just tried to help. :-)

> > # EASY-INSTALL-ENTRY-SCRIPT: 'apt-listchanges==3.27','console_scripts','apt-listchanges'
>
> Thanks, fixed this as well.

Great!

Regards, Axel
--
,''`. | Axel Beckert <a...@debian.org>, https://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE