Merge ~ahasenack/ubuntu/+source/openldap:groovy-openldap-2.4.50-merge-and-delta-drop into ubuntu/+source/openldap:debian/sid

I got this review via email from Ryan Tandy, the debian maintainer of openldap. ">" are his comments, and my reply below.

> - dropping GSSAPI is an ABI break (removing public symbols), therefore I
> think it requires a SONAME change and transition. I was going to
> propose dropping this when we eventually update to 2.5 as I don't
> foresee a SONAME bump happening sooner.

After an LTS is the right time to drop such an old delta, that was
even requested by (now upstream)
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/495418/comments/2

We should be able to rely on the symbols file to handle upgrades, no?
Or do you mean in terms of debian policy the soname must change?

> - dropping nssov breaks upgrades for anyone who has it enabled, unless
> you specifically add scripting to detect and disable it. I guess the
> numbers of users is small but I know at least one person who was (not
> sure whether still is) using nssov.

Scripting with the cn=config backend is tough. And just removing nssov
for the sake of having slapd start up fine would hide the change
somewhat.

For both these changes, we will certainly need release notes, and I
wrote this down already to add to the notes when we are closer to
release. I can also email ubuntu-server@ or even ubuntu-devel@ to get
a feeling who is using these, and what people think. I also think that
right after the LTS is a good time to tackle this problem and drop
stuff we don't use anymore, nor want our users still use. The nss
overlay requires "the client-side stuf library from nss-pam-ldapd",
which we only have in universe since precise, and I would like to
standardize on sssd as much as possible.

More comments. This time, ">" are mine:

On Tue, May 12, 2020 at 02:32:18PM -0300, Andreas Hasenack wrote:
>We should be able to rely on the symbols file to handle upgrades, no?
>Or do you mean in terms of debian policy the soname must change?

The symbols file tracks when new interfaces were added, but when
changing or removing already exported ones, the SONAME must change.

https://www.debian.org/doc/debian-policy/ch-sharedlibs.html#run-time-shared-libraries

>Scripting with the cn=config backend is tough. And just removing nssov
>for the sake of having slapd start up fine would hide the change
>somewhat.

Yeah. I was thinking more along the lines of failing the upgrade in
preinst if nssov is enabled, rather than get into a state where recovery
requires manual changes in /etc/ldap/slapd.d.

But the number of users affected is honestly going to be single-digit or
zero, so a release note is probably about all the effort it's worth.

>The nss overlay requires "the client-side stuf library from
>nss-pam-ldapd", which we only have in universe since precise, and I
>would like to standardize on sssd as much as possible.

ACK, recommending sssd makes sense for sure.

Looong changelog, but after reading it twice I agree.
Glad you could drop so much.

I like that you added the reasoning for each of them.
And I also agree that early in the post-LTS cycle is the right time to do so.

Also thanks for sending all the remaining bits that are applicable to Debian already.

This is so much I need to look a bit further, but so far it LGTM

ok, AFAICS old delta is retained correctly.
But a lot is going on, so I hope I didn't miss anything.

Hopefully you can drop more of the already submitted changes next time to further clean this up.

i use and prefer nss-pam-ldapd, so removing nssov would break things for my installations. it doesn't really matter to me if nssov is loaded/enabled/configured by the packaging system [in fact, i would prefer it not be, myself], but it's not clear to me what problem it causes to include it in the package, so people who want it can use it.

as a side note, it would be disappointing to see sssd pushed over nss-pam-ldapd, generally speaking.

As recommended by Ryan Tandy (debian maintainer of openldap), and after a discussion with my colleagues, we decided to not drop the gssapi and CLDAP deltas at this time, because that would require buming the soname of the openldap libraries, which is already at 2.4. When the next upstream major release happens, 2.5, that will be the right time to drop this delta. It's unfortunate, but it's the price to pay for having introduced that back in 2009 without much thinking ahead.

I emailed ubuntu-server@ about these changes, and also posted on the discourse forum.

https://lists.ubuntu.com/archives/ubuntu-server/2020-May/008333.html

https://discourse.ubuntu.com/t/cleaning-up-openldap-packaging/16287

ben thielsen (btb-bitrate), we can continue the nss overlay discussion there.

About the nssov removal, if the previous install is using the overlay, the upgrade fails, quite as expected:

May 21 19:05:20 groovy-nss-overlay slapd[1275]: lt_dlopenext failed: (nssov) file not found
...

Errors were encountered while processing:
 slapd
E: Sub-process /usr/bin/dpkg returned an error code (1)

Expected, but not very nice. Ryan Tandy suggested a check in preinst.

If I check for the nss overlay in slapd.preinst, and exit 1 (just for the sake of testing, let's assume there are debconf prompts asking what to do, and the user chose to abort), then we get:

(...)
Preparing to unpack .../slapd_2.4.50+dfsg-1ubuntu1~ppa4_amd64.deb ...
Saving current slapd configuration to /var/backups/slapd-2.4.49+dfsg-2ubuntu2...
nss overlay in use, aborting install
dpkg: error processing archive ./slapd_2.4.50+dfsg-1ubuntu1~ppa4_amd64.deb (--install):
 new slapd package pre-installation script subprocess returned error exit status 1
  Backing up /etc/ldap/slapd.d in /var/backups/slapd-2.4.50+dfsg-1ubuntu1~ppa4... done.
Setting up libldap-common (2.4.50+dfsg-1ubuntu1~ppa4) ...
Setting up libldap-2.4-2:amd64 (2.4.50+dfsg-1ubuntu1~ppa4) ...
Setting up ldap-utils (2.4.50+dfsg-1ubuntu1~ppa4) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for libc-bin (2.31-0ubuntu9) ...
Errors were encountered while processing:
 ./slapd_2.4.50+dfsg-1ubuntu1~ppa4_amd64.deb
$ echo $?
1

Summary:
- apt exits 1, indicating a failure
- slapd stays at the previous version, but other packages remain upgraded
- slapd is restarted, but stays running instead of failing to come up

Removing the nss overlay configuration in postinst is complicated, error prone, and might render the system without a working login (assuming the overlay is being used in that system for logins: not always the case).

These are the options as far as I can see, at the moment:
a) don't remove nssov
b) remove nssov, and exit 1 in preinst if it's detected, with the outcome detailed above
c) remove nssov and not handle it. apt fails, slapd remains stopped at the end, system might be without a working logn
d) remove nssov, go through great lengths to remove it from slapd's config (very complicated due to cn=config and the fact that slapd doesn't support removing modules dynamically via ldap commands), and in the end have a running slapd, but without nssov. System might again be without a working login, if nssov was used for that on this system.

If we chose (a), I might as well fix bug #381829 and bug #1452087

I emailed ubuntu-devel[1] about the nssov situation, and will keep the overlay for now until I can come up with a better plan for its removal that doesn't horribly break upgrades for people who are using it.

And the link to my ubuntu-devel post, which I forgot to add in my previous comment:

https://lists.ubuntu.com/archives/ubuntu-devel/2020-May/041004.html

I updated the branch keeping the nssov delta, and I also rearranged the commits a bit so they are together where it makes sense:

a)
commit cee0c2496d9abaee94778cb201462300372d0763
Author: Andreas Hasenack <email address hidden>
Date: Fri Feb 8 18:23:23 2019 -0200

        - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
          - CLDAP (UDP) was added in 2.4.17-1ubuntu2
          - GSSAPI support was enabled in 2.4.18-0ubuntu2

I split this one up in two pieces, and folded them together each with the commit that added the feature. I also added notes about when this can be dropped:
commit b8787fe7f9e5ed0a9d3aabd0fe3c65c5a3d64db1
Author: Andreas Hasenack <email address hidden>
Date: Fri Feb 8 18:22:00 2019 -0200

        - Add support for CLDAP (UDP) support, back then required by
          likewise-open (first enabled in 2.4.17-1ubuntu2):
          + d/rules: Enable -DLDAP_CONNECTIONLESS
          + d/libldap-2.4-2.symbols: add symbols for CLDAP (UDP)
          This should be dropped when the soname changes.

and
commit 90eba5f78d1a44aa3b86956b6916edc8e518f9f8
Author: Andreas Hasenack <email address hidden>
Date: Fri Feb 8 18:16:01 2019 -0200

        - Enable GSSAPI support (first added in 2.4.18-0ubuntu2):
...
          + d/libldap-2.4-2.symbols: add symbols for GSSAPI support
          This should be dropped when the soname changes.

b)
commit a23fad285c57ba7ba8c2a14668c66e637a2a584a
Author: Andreas Hasenack <email address hidden>
Date: Mon Feb 11 09:18:28 2019 -0200

        - d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
          Debian bug #919136, we also have to patch the nssov makefile
          accordingly and thus update this patch.

Squashed the above commit into the one adding the nssov delta:
commit 3ebf10cacef2c35e7598c131118aea769b091427
Author: Andreas Hasenack <email address hidden>
Date: Fri Feb 8 18:19:09 2019 -0200

        - Enable nss overlay:
...
          + d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
            Debian bug #919136, we also have to patch the nssov makefile
            accordingly and thus update this patch.

Finally, i also updated the commit messages with the correct list symbol for each indentation level. Basically, replaced many "-" with "+".

sigh, soname troubles plus this nssov thing - this clearly is one of the more ugly merged.
/me hugs Andreas

Re-reviewing the MP as it is right now ...

- Ack on not removing nssov (for now)
- Ack on keeping the bad symbols until we can soname bump
(both as discussed)

+1 on the new set of kept/dropped changes.

One thing if you want to experiment a bit more with it since we can't get rid of the extra features/symbols we have that came to my mind last weekend was deprecating them.
Would it be a reasonable delta to throw in some "deprecated" attributes via [1]?
That way - once we some day remove it - everyone linking against them would have had quite some time being told that they are deprecated.

One could think of a similar strategy for nssov to now yell/warn/message about that it will be dropped later in all places you can - to reduce the impact when you do it some time down the road. IIRC you already have the code to detect nssov and while I agree messing with the config is error-prone, warning that it should not be used would be fine IMHO.

[1]: https://gcc.gnu.org/onlinedocs/gcc-4.7.1/gcc/Type-Attributes.html#Type-Attributes

> One thing if you want to experiment a bit more with it since we can't get rid of
> the extra features/symbols we have that came to my mind last weekend was
> deprecating them. Would it be a reasonable delta to throw in some "deprecated"
> attributes via [1]?

I can play with this, but I'm not sure it's the right thing to do. These symbols are not deprecated, and they fall into two categories:

- cldap support: ber_sockbuf_io_udp and ldap_is_ldapc_url. Both defined in public header files:

include/lber.h:LBER_V( Sockbuf_IO ) ber_sockbuf_io_udp;

and

include/ldap.h:
#ifdef LDAP_CONNECTIONLESS
LDAP_F( int )
ldap_is_ldapc_url LDAP_P((
    LDAP_CONST char *url ));
#endif

Both are only used if LDAP_CONNECTIONLESS is defined.

- gssapi support
This is the "bad" one, as the delta we have is adding internal symbols to the symbols file. For example, ldap_int_gssapi_close is defined in ./libraries/libldap/ldap-int.h. This header file is not even shipped in the libldap2-dev package. Hm, since the header file isn't shipped, I wonder if these symbols can even be used?

Anyway, going back to the point of deprecating symbols, adding a patch that changes C code marking the, say, gssapi symbols deprecated isn't correct, as they shouldn't be exposed in the first place. Using them when linking with the ubuntu openldap packages (if possible, given we don't ship the corresponding header file), that is what is "deprecated", because we want to remove them.

Hm, there are many other *_int_* symbols in the symbols file, also defined just in the -int header file that is not shipped. Meh.

I tested patching one attribute with that flag:

-LDAP_F(void) ldap_int_gssapi_close LDAP_P(( LDAP *ld, LDAPConn *lc ));
+LDAP_F(void) ldap_int_gssapi_close LDAP_P(( LDAP *ld, LDAPConn *lc )) __attribute__ ((deprecated));

The build shows this then:
../../../../libraries/libldap/gssapi.c: In function ‘ldap_int_gssapi_setup’:
../../../../libraries/libldap/gssapi.c:620:2: warning: ‘ldap_int_gssapi_close’ is deprecated [-Wdeprecated-declarations]
  620 | ldap_int_gssapi_close( ld, lc );
      | ^~~~~~~~~~~~~~~~~~~~~
../../../../libraries/libldap/gssapi.c:581:6: note: declared here
  581 | void ldap_int_gssapi_close( LDAP *ld, LDAPConn *lc )
      | ^~~~~~~~~~~~~~~~~~~~~

since that function is used internally, correctly. So I don't think it's a good approach.

Ok, thanks for trying - it was worth that but you have shown it doesn't match your case :-/

I was +1 otherwise on it, so +1 is all that is left after trying the deprecation trick.

About notifying the user that nssov will eventually be removed, I thought of these options:
- d/NEWS file. A bit weird, because we are not changing it yet, so I'm not sure this mechanism applies. But is an interesting notification mechanism for those who have apt-listchanges (I think that's the name) installed. It would only show once, thouch, iiuc.
- simple postinst "echo" lines. Can get lost in all those messages, but can show the warning with every upgrade if we want (i.e., do the check regardless of the package version that is being upgraded)

Any other ideas? Also keep in mind we might not be able to cleanly removed this overlay, so maybe adding these warnings now is premature.

We know that eventually there will always be someone that misses it and later complain.
So don't let perfection be the enemy of progress and pick something that works for the majority.

For this particular case I'm fan of something very noisy on the upgrade if we detected it is in use.
That way the majority of users won't see anything and that is ok as it isn't "for them".
For all the others I think it would be good to be loud and noisy on upgrades.
Actually - we can detect that it is in use can we?

Furthermore orthogonal to the packaging changes something that you can find with a search engine, maybe release notes or server guide (or even a blog if you want). Whatever you think is best for you.

I'm actually -1 on adding notes about future upcoming changes to the packaging at the moment, when such changes aren't there. It's our intention, and that was communicated in 2 mailing lists and the discourse forum. I added a d/slapd.NEWS bit, but am ready to revert that.

As I said above, "Whatever you think is best for you", so if ML+Discourse is what you want that is fine with me. The NEWS entry would be just another Delta with potentially low gain - so I'm ok if you drop it before upload.
I mostly wanted to spawn the idea of trying to communicate it, not define how exactly we do it.

Thanks, sorry for misunderstanding.

Tagging and uploading 890c4eea118142866ff23abe7b8be5d408316d98

$ git push pkg upload/2.4.50+dfsg-1ubuntu1
Enumerating objects: 94, done.
Counting objects: 100% (94/94), done.
Delta compression using up to 4 threads
Compressing objects: 100% (76/76), done.
Writing objects: 100% (78/78), 28.91 KiB | 1.11 MiB/s, done.
Total 78 (delta 55), reused 6 (delta 2)
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/openldap
 * [new tag] upload/2.4.50+dfsg-1ubuntu1 -> upload/2.4.50+dfsg-1ubuntu1

$ dput ubuntu ../openldap_2.4.50+dfsg-1ubuntu1_source.changes
Checking signature on .changes
gpg: ../openldap_2.4.50+dfsg-1ubuntu1_source.changes: Valid signature from AC983EB5BF6BCBA9
Checking signature on .dsc
gpg: ../openldap_2.4.50+dfsg-1ubuntu1.dsc: Valid signature from AC983EB5BF6BCBA9
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading openldap_2.4.50+dfsg-1ubuntu1.dsc: done.
  Uploading openldap_2.4.50+dfsg-1ubuntu1.debian.tar.xz: done.
  Uploading openldap_2.4.50+dfsg-1ubuntu1_source.buildinfo: done.
  Uploading openldap_2.4.50+dfsg-1ubuntu1_source.changes: done.
Successfully uploaded packages.

This migrated.