Minor packaging flaw in current DeepGit .deb package

[Peter Mello]

Greetings,

I was able to identify the most innocuous packaging flaw with DeepGit earlier today and though it might look prima facie benign, it's actually been something of a burr in my sock for I'm pretty sure more than a year at this point, so I wanted to make an effort to leave a "public" record of it while it remains top-of-mind in the hopes that:

1. the release itself can be repackaged correctly when time and resources permit, in the spirit of "if something is worth doing, it's worth doing correctly," despite Debian packages being a legacy/courtesy offering from Syntevo that is not recommended for ongoing use, as well as my tacit understanding that DeepGit is essentially a lowest-tier priority for Syntevo (or may already be EOL?),
2. to spare any other poor soul who may encounter this nigh-imperceptible gnat of a bug with a realistic chance of contributing to system-wide knock-on effects at least some small chance of stumbling upon what I've learned and thus avoiding the same persistent irritation for themselves.

First things first, a description of the flaw itself. Within the DeepGit Debian (.deb) package currently offered for download, version 4.4 as found at this link, is a malformed control file, DEBIAN/md5sums, whose syntax is capable of capable of breaking some of the more brittle auxiliary packaging services on Debian-based GNU/Linux systems. You can verify this for yourself by downloading the .deb file from the link above and then opening a terminal in which to issue the command:

  $  dpkg --verify <path to deb file>

     dpkg: error: control file 'md5sums' for package 'deepgit' is missing value separator

I'm not sure if the file was editing by-hand after the package was built, but somehow it lost one of the two spaces that is required to separate each hash from its associated filepath, leaving every entry in the file with just a single whitespace character between the two parts of each entry. While dpkg and apt are robust enough to fail gracefully in such circumstances, that can't be said of all the various and sundry helper binaries that handle and keep track of packages installed and configured by dpkg. In particular, this flaw has completely hosed the update-apt-xapian-index and FreeDesktop PackgeKit services on my personal computers for quite some time, and the extremely subtle nature of it allowed it to fly beneath the radar of several attempts to troubleshoot the issue.

It should be little more than checking that your packaging toolchain (mostly dpkg and devscripts) is fully update-to-date, rebuilding the package and taking care not to manipulate the control files afterwards to correct the matter; I do a fair amount of Debian packaging myself and I've never seen the typical workflow (debuild acting on top of dpkg-buildpackage) produce malformed output like this before.

Thanks for all the years of great software, I look forward to being a happy customer still for many more to come.

Warmly,

Peter Mello

[syntevo Support]

Hi Peter,

What Linux you are using? I'm trying with Ubuntu 22.04 and get this result

$ dpkg --verify deepgit-4_4.deb
dpkg: package 'deepgit-4_4.deb' is not installed

so I assume, it just checks installed packages, not files.

--
Best regards,
Thomas Singer
syntevo GmbH
https://www.syntevo.com

03/11/2024 08:57 - Peter Mello wrote:

> Greetings,
>
> I was able to identify the most innocuous packaging flaw with DeepGit
> earlier today and though it might look prima facie benign, it's actually
> been something of a burr in my sock for I'm pretty sure more than a year at
> this point, so I wanted to make an effort to leave a "public" record of it
> while it remains top-of-mind in the hopes that:
>

> 1. the release itself can be repackaged correctly when time and

> resources permit, in the spirit of "if something is worth doing, it's worth
> doing correctly," despite Debian packages being a legacy/courtesy offering
> from Syntevo that is not recommended for ongoing use, as well as my tacit
> understanding that DeepGit is essentially a lowest-tier priority for
> Syntevo (or may already be EOL?),

> 2. to spare any other poor soul who may encounter this

> nigh-imperceptible gnat of a bug with a realistic chance of contributing to
> system-wide knock-on effects at least some small chance of stumbling upon
> what I've learned and thus avoiding the same persistent irritation for
> themselves.
>
> First things first, a description of the flaw itself. Within the DeepGit
> Debian (.deb) package currently offered for download, version 4.4 as found

> at this link <https://www.syntevo.com/downloads/deepgit/deepgit-4_4.deb>,

> --
> You received this message because you are subscribed to the Google Groups
> "SmartGit" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
> smartgit+u...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/smartgit/dacee189-2904-4e90-8f56-c9bb680456f5n%40googlegroups.com.
>

[Peter Mello]

Hello Thomas,

I'm using Kubuntu 23.10 "Mantic Minotaur" and you're absolutely correct, dpkg doesn't check individual deb files unless they're also installed on the system, as prior to that is hasn't ingested the md5sums files into its database. My apologies for steering you in the wrong direction in the original post.

—Peter