X-Git-Url: https://git.donarmstrong.com/?p=debian%2Fdebian-policy.git;a=blobdiff_plain;f=policy.sgml;h=404dc7373f80cdc20bf793e064d7163e3885518f;hp=5a8de36f71841cc9c03b1df5c6ca3f9521a99a66;hb=HEAD;hpb=3de3b0bb699c0040c2f649730ba248e93bd55f7f diff --git a/policy.sgml b/policy.sgml index 5a8de36..404dc73 100644 --- a/policy.sgml +++ b/policy.sgml @@ -158,6 +158,14 @@ distributed in some other way or is intended for local use only.

+ +

+ udebs (stripped-down binary packages used by the Debian Installer) do + not comply with all of the requirements discussed here. See the + for more + information about them. +

@@ -221,9 +229,8 @@ Russ Allbery Bill Allombert - Andrew McMillan - Manoj Srivastava - Colin Watson + Andreas Barth + Jonathan Nieder

@@ -714,21 +721,62 @@

The Debian archive maintainers provide the authoritative list of sections. At present, they are: - admin, cli-mono, comm, database, - devel, debug, doc, editors, - education, electronics, embedded, - fonts, games, gnome, graphics, - gnu-r, gnustep, hamradio, haskell, - httpd, interpreters, introspection, - java, kde, kernel, libs, - libdevel, lisp, localization, - mail, math, metapackages, misc, - net, news, ocaml, oldlibs, - otherosfs, perl, php, python, - ruby, science, shells, sound, - tex, text, utils, vcs, - video, web, x11, xfce, - zope. The additional section debian-installer +admin, +cli-mono, +comm, +database, +debug, +devel, +doc, +editors, +education, +electronics, +embedded, +fonts, +games, +gnome, +gnu-r, +gnustep, +graphics, +hamradio, +haskell, +httpd, +interpreters, +introspection, +java, +kde, +kernel, +libdevel, +libs, +lisp, +localization, +mail, +math, +metapackages, +misc, +net, +news, +ocaml, +oldlibs, +otherosfs, +perl, +php, +python, +ruby, +science, +shells, +sound, +tasks, +tex, +text, +utils, +vcs, +video, +web, +x11, +xfce, +zope. + The additional section debian-installer contains special packages used by the installer and is not used for normal Debian packages.

@@ -848,10 +896,11 @@ Among those files are the package maintainer scripts and control, the binary package control file that contains the control fields for - the package. Other control information files - include the shlibs - file used to store shared library dependency information - and the conffiles file that lists the package's + the package. Other control information files include + the symbols file + or shlibs file + used to store shared library dependency information and + the conffiles file that lists the package's configuration files (described in ).

@@ -1224,7 +1273,7 @@

Essential is defined as the minimal set of functionality that must be available and usable on the system at all times, even - when packages are in an unconfigured (but unpacked) state. + when packages are in the "Unpacked" state. Packages are tagged essential for a system using the Essential control field. The format of the Essential control field is described in dpkg to stave off boredom on - the part of a user installing many packages. This means, - amongst other things, using the --quiet option on - install-info. + the part of a user installing many packages. This means, + amongst other things, not passing the --verbose + option to update-alternatives.

@@ -1311,7 +1360,7 @@ installed together. If update-alternatives is not used, then each package must use Conflicts to ensure that other packages are - de-installed. (In this case, it may be appropriate to + removed. (In this case, it may be appropriate to specify a conflict against earlier versions of something that previously did not use update-alternatives; this is an exception to @@ -1687,7 +1736,7 @@ /closes:\s*(?:bug)?\#?\s?\d+(?:,\s*(?:bug)?\#?\s?\d+)*/i Then all of the bug numbers listed will be closed by the - archive maintenance script (katie) using the + archive maintenance software (dak) using the version of the changelog entry. This information is conveyed via the Closes field @@ -1696,11 +1745,14 @@

The maintainer name and email address used in the changelog - should be the details of the person uploading this - version. They are not necessarily those of the - usual package maintainer. - If the developer uploading the package is not one of the usual - maintainers of the package (as listed in + should be the details of the person who prepared this release of + the package. They are not necessarily those of the + uploader or usual package maintainer. + In the case of a sponsored upload, the uploader signs the + files, but the changelog maintainer name and address are those + of the person who prepared this release. If the preparer of + the release is not one of the usual maintainers of the package + (as listed in the Maintainer or Uploaders control fields of the package), the first line of the changelog is @@ -1866,7 +1918,8 @@

The following targets are required and must be implemented by debian/rules: clean, binary, - binary-arch, binary-indep, and build. + binary-arch, binary-indep, build, + build-arch and build-indep. These are the targets called by dpkg-buildpackage.

@@ -1878,6 +1931,10 @@ any target that these targets depend on must also be non-interactive.

+

+ For packages in the main archive, no required targets + may attempt network access. +

The targets are as follows: @@ -1946,51 +2003,33 @@

- build-arch (optional), - build-indep (optional) + build-arch (required), + build-indep (required)

- A package may also provide one or both of the targets - build-arch and build-indep. - The build-arch target, if provided, should + The build-arch target must perform all the configuration and compilation required for producing all architecture-dependant binary packages (those packages for which the body of the Architecture field in debian/control is not all). Similarly, the build-indep - target, if provided, should perform all the configuration + target must perform all the configuration and compilation required for producing all architecture-independent binary packages (those packages for which the body of the Architecture field in debian/control is all). -

- -

- If build-arch or build-indep targets are - provided in the rules file, the build target + The build target should either depend on those targets or take the same actions as invoking those targets would perform. - The intent of this split is so that binary-only builds - need not install the dependencies required for - the build-indep target. However, this is not - yet used in practice since dpkg-buildpackage - -B, and therefore the autobuilders, - invoke build rather than build-arch - due to the difficulties in determining whether the - optional build-arch target exists. + This split allows binary-only builds to not install the + dependencies required for the build-indep + target and skip any resource-intensive build tasks that + are only required when building architecture-independent + binary packages.

-

- If one or both of the targets build-arch and - build-indep are not provided, then invoking - debian/rules with one of the not-provided - targets as arguments should produce a exit status code - of 2. Usually this is provided automatically by make - if the target is missing. -

-

The build-arch and build-indep targets must not do anything that might require root privilege. @@ -2129,7 +2168,7 @@

The architectures we build on and build for are determined by make variables using the - utility dpkg-architecture. + utility dpkg-architecture. You can determine the Debian architecture and the GNU style architecture specification string for the build architecture as well as for the host architecture. The build architecture is @@ -2334,8 +2373,7 @@ endif This is an optional, recommended configuration file for the uscan utility which defines how to automatically scan ftp or http sites for newly available updates of the - package. This is used - by and other Debian QA + package. This is used Debian QA tools to help with quality control and maintenance of the distribution as a whole.

@@ -2509,7 +2547,7 @@ endif composed of US-ASCII characters excluding control characters, space, and colon (i.e., characters in the ranges 33-57 and 59-126, inclusive). Field names must not begin with the comment - character, #. + character, #, nor with the hyphen character, -.

@@ -2524,7 +2562,9 @@ Package: libc6 the field name is Package and the field value libc6.

- +

Empty field values are only permitted in source package control files + (debian/control). Such fields are ignored. +

A paragraph must not contain more than one instance of a particular field name. @@ -2625,12 +2665,12 @@ Package: libc6 Source (mandatory) Maintainer (mandatory) Uploaders - DM-Upload-Allowed Section (recommended) Priority (recommended) Build-Depends et al Standards-Version (recommended) Homepage + Vcs-Browser, Vcs-Git, et al.

@@ -2646,6 +2686,8 @@ Package: libc6 Depends et al Description (mandatory) Homepage + Built-Using + Package-Type

@@ -2665,6 +2707,7 @@ Package: libc6 file. These tools are responsible for removing the line breaks from such fields when using fields from debian/control to generate other control files. + They are also responsible for discarding empty fields.

@@ -2701,6 +2744,7 @@ Package: libc6 Maintainer (mandatory) Description (mandatory) Homepage + Built-Using

@@ -2721,12 +2765,14 @@ Package: libc6 Version (mandatory) Maintainer (mandatory) Uploaders - DM-Upload-Allowed Homepage + Vcs-Browser, Vcs-Git, et al. + Dgit Standards-Version (recommended) Build-Depends et al + Package-List (recommended) Checksums-Sha1 - and Checksums-Sha256 (recommended) + and Checksums-Sha256 (mandatory) Files (mandatory)

@@ -2779,7 +2825,7 @@ Package: libc6 Closes Changes (mandatory) Checksums-Sha1 - and Checksums-Sha256 (recommended) + and Checksums-Sha256 (mandatory) Files (mandatory)

@@ -3636,7 +3682,7 @@ Files:

The special value byhand for the section in a .changes file indicates that the file in question - is not an ordinary package file and must by installed by + is not an ordinary package file and must be installed by hand by the distribution maintainers. If the section is byhand the priority should be -.

@@ -3713,28 +3759,114 @@ Checksums-Sha256:

- In the .dsc file, these fields should list all + In the .dsc file, these fields list all files that make up the source package. In - the .changes file, these fields should list all + the .changes file, these fields list all files being uploaded. The list of files in these fields must match the list of files in the Files field.

- + DM-Upload-Allowed

- Indicates that Debian Maintainers may upload this package to - the Debian archive. The only valid value is yes. If - the field DM-Upload-Allowed: yes is present in the - source section of the source control file of the most recent - version of a package in unstable or experimental, the Debian - archive will accept uploads of this package signed with a key - in the Debian Maintainer keyring. See the General - Resolution for more - details. + Obsolete, see below. +

+ + + + Version Control System (VCS) fields + +

+ Debian source packages are increasingly developed using VCSs. The + purpose of the following fields is to indicate a publicly accessible + repository where the Debian source package is developed. + + + Vcs-Browser + +

+ URL of a web interface for browsing the repository. +

+ + + + Vcs-Arch, Vcs-Bzr (Bazaar), Vcs-Cvs, + Vcs-Darcs, Vcs-Git, Vcs-Hg + (Mercurial), Vcs-Mtn (Monotone), Vcs-Svn + (Subversion) + + +

+ The field name identifies the VCS. The field's value uses the + version control system's conventional syntax for describing + repository locations and should be sufficient to locate the + repository used for packaging. Ideally, it also locates the + branch used for development of new versions of the Debian + package. +

+

+ In the case of Git, the value consists of a URL, optionally + followed by the word -b and the name of a branch in + the indicated repository, following the syntax of the + git clone command. If no branch is specified, the + packaging should be on the default branch. +

+

+ More than one different VCS may be specified for the same + package. +

+ + +

+ + + + Package-List + +

+ Multiline field listing all the packages that can be built from + the source package, considering every architecture. The first line + of the field value is empty. Each one of the next lines describes + one binary package, by listing its name, type, section and priority + separated by spaces. Fifth and subsequent space-separated items + may be present and parsers must allow them. See the + Package-Type field for a list of + package types. +

+ + + + Package-Type + +

+ Simple field containing a word indicating the type of package: + deb for binary packages and udeb for micro binary + packages. Other types not defined here may be indicated. In + source package control files, the Package-Type field + should be omitted instead of giving it a value of deb, as + this value is assumed for paragraphs lacking this field. +

+ + + + Dgit + +

+ Folded field containing a single git commit hash, presented in + full, followed optionally by whitespace and other data to be + defined in future extensions. +

+ +

+ Declares that the source package corresponds exactly to a + referenced commit in a Git repository available at the canonical + location called dgit-repos, used by dgit, a + bidirectional gateway between the Debian archive and Git. The + commit is reachable from at least one reference whose name matches + refs/dgit/*. See the manual page of dgit for + further details.

@@ -3783,6 +3915,28 @@ Checksums-Sha256: + + Obsolete fields + +

+ The following fields have been obsoleted and may be found in packages + conforming with previous versions of the Policy. +

+ + + DM-Upload-Allowed + +

+ Indicates that Debian Maintainers may upload this package to + the Debian archive. The only valid value is yes. This + field was used to regulate uploads by Debian Maintainers, See the + General Resolution for more details. +

+ + + + @@ -3845,8 +3999,7 @@ Checksums-Sha256: Programs called from maintainer scripts should not normally have a path prepended to them. Before installation is started, the package management system checks to see if the - programs ldconfig, - start-stop-daemon, install-info, + programs ldconfig, start-stop-daemon, and update-rc.d can be found via the PATH environment variable. Those programs, and any other program that one would expect to be in the @@ -3945,7 +4098,7 @@ Checksums-Sha256: pre-dependencies (Pre-Depends) may be assumed to be available. Pre-dependencies will have been configured at least once, but at the time the preinst is - called they may only be in an unpacked or "Half-Configured" + called they may only be in an "Unpacked" or "Half-Configured" state if a previous version of the pre-dependency was completely configured and has not been removed since then. @@ -3959,7 +4112,7 @@ Checksums-Sha256: partly from the new version or partly missing, so the script cannot rely on files included in the package. Package dependencies may not be available. Pre-dependencies will be - at least unpacked following the same rules as above, except + at least "Unpacked" following the same rules as above, except they may be only "Half-Installed" if an upgrade of the pre-dependency failed. This can happen if the new version of the package no @@ -3978,7 +4131,7 @@ Checksums-Sha256: most-recently-configured-version The files contained in the package will be unpacked. All - package dependencies will at least be unpacked. If there + package dependencies will at least be "Unpacked". If there are no circular dependencies involved, all package dependencies will be configured. For behavior in the case of circular dependencies, see the discussion @@ -4002,7 +4155,7 @@ Checksums-Sha256: will have previously been configured and not removed. However, dependencies may not be configured or even fully unpacked in some error situations. - For example, suppose packages foo and bar are installed + For example, suppose packages foo and bar are "Installed" with foo depending on bar. If an upgrade of bar were started and then aborted, and then an attempt to remove foo failed because its prerm script failed, @@ -4039,7 +4192,7 @@ Checksums-Sha256: at least "Half-Installed". All package dependencies will at least be "Half-Installed" and will have previously been configured and not removed. If there was no error, all - dependencies will at least be unpacked, but these actions + dependencies will at least be "Unpacked", but these actions may be called in various error states where dependencies are only "Half-Installed" due to a partial upgrade. @@ -4068,7 +4221,7 @@ Checksums-Sha256: The postrm script is called after the package's files have been removed or replaced. The package whose postrm is being called may have - previously been deconfigured and only be unpacked, at which + previously been deconfigured and only be "Unpacked", at which point subsequent package changes do not consider its dependencies. Therefore, all postrm actions may only rely on essential packages and must gracefully skip @@ -4131,7 +4284,7 @@ fi - If a version of the package is already installed, call + If a version of the package is already "Installed", call old-prerm upgrade new-version @@ -4246,7 +4399,7 @@ fi Otherwise, if the package had some configuration files from a previous version installed (i.e., it - is in the "configuration files only" state): + is in the "Config-Files" state): new-preinst install old-version @@ -4271,7 +4424,7 @@ fi If the error-unwind fails, the package is in a "Half-Installed" phase, and requires a reinstall. If the error unwind works, the - package is in a not installed state. + package is in the "Not-Installed" state. @@ -4409,7 +4562,7 @@ fi It is noted in the status database as being in a - sane state, namely not installed (any conffiles + sane state, namely "Not-Installed" (any conffiles it may have are ignored, rather than being removed by dpkg). Note that disappearing packages do not have their prerm @@ -4435,7 +4588,7 @@ fi

The new package's status is now sane, and recorded as - "unpacked". + "Unpacked".

@@ -4472,7 +4625,7 @@ fi

No attempt is made to unwind after errors during configuration. If the configuration fails, the package is in - a "Failed Config" state, and an error message is generated. + a "Half-Configured" state, and an error message is generated.

@@ -4592,8 +4745,8 @@ fi dependencies on other packages, the package names listed may also include lists of alternative package names, separated by vertical bar (pipe) symbols |. In such a case, - if any one of the alternative packages is installed, that - part of the dependency is considered to be satisfied. + that part of the dependency can be satisfied by any one of + the alternative packages.

@@ -4607,13 +4760,13 @@ fi

The relations allowed are <<, <=, - =, >= and >> for - strictly earlier, earlier or equal, exactly equal, later or - equal and strictly later, respectively. The deprecated - forms < and > were used to mean - earlier/later or equal, rather than strictly earlier/later, - so they should not appear in new packages (though - dpkg still supports them). + =, >= and >> for strictly + earlier, earlier or equal, exactly equal, later or equal and + strictly later, respectively. The deprecated + forms < and > were confusingly used to + mean earlier/later or equal, rather than strictly earlier/later, + and must not appear in new packages (though dpkg + still supports them with a warning).

@@ -4677,7 +4830,8 @@ Build-Depends: kernel-headers-2.2.10 [!hurd-i386],

- For binary relationship fields, the architecture restriction + For binary relationship fields and the Built-Using + field, the architecture restriction syntax is only supported in the source package control file debian/control. When the corresponding binary package control file is generated, the relationship will either @@ -4923,11 +5077,11 @@ Build-Depends: foo [linux-any], bar [any-i386], baz [!linux-any] be unpacked the pre-dependency can be satisfied if the depended-on package is either fully configured, or even if the depended-on - package(s) are only unpacked or in the "Half-Configured" + package(s) are only in the "Unpacked" or the "Half-Configured" state, provided that they have been configured correctly at some point in the past (and not removed or partially removed since). In this case, both the - previously-configured and currently unpacked or + previously-configured and currently "Unpacked" or "Half-Configured" versions must satisfy any version clause in the Pre-Depends field.

@@ -5282,7 +5436,7 @@ Depends: foo-data (>= 1.2-3) dpkg does not know of any files it still contains, it is considered to have "disappeared". It will be marked as not wanted on the system (selected for - removal) and not installed. Any conffiles + removal) and "Not-Installed". Any conffiles details noted for the package will be ignored, as they will have been taken over by the overwriting package. The package's postrm script will be run with a @@ -5401,6 +5555,53 @@ Replaces: mail-transport-agent

+ + + Additional source packages used to build the binary + - Built-Using + + +

+ Some binary packages incorporate parts of other packages when built + but do not have to depend on those packages. Examples include + linking with static libraries or incorporating source code from + another package during the build. In this case, the source packages + of those other packages are a required part of the complete source + (the binary package is not reproducible without them). +

+ +

+ A Built-Using field must list the corresponding source + package for any such binary package incorporated during the build + + Build-Depends in the source package is not adequate since + it (rightfully) does not document the exact version used in the + build. + , + including an "exactly equal" ("=") version relation on the version + that was used to build that binary package + The archive software might reject packages that refer to + non-existent sources. + . +

+ +

+ A package using the source code from the gcc-4.6-source + binary package built from the gcc-4.6 source package would + have this field in its control file: + +Built-Using: gcc-4.6 (= 4.6.0-11) + +

+ +

+ A package including binaries from grub2 and loadlin would + have this field in its control file: + +Built-Using: grub2 (= 1.99-9), loadlin (= 1.6e-1) + +

+ @@ -5493,16 +5694,28 @@ Replaces: mail-transport-agent be placed in a package named librarynamesoversion, where soversion is the version number in - the SONAME of the shared library. - See for detailed information on how to - determine this version. Alternatively, if it would be confusing - to directly append soversion - to libraryname (if, for example, libraryname - itself ends in a number), you should use + the SONAME of the shared library. Alternatively, if it + would be confusing to directly append soversion + to libraryname (if, for + example, libraryname itself ends in a number), you + should use libraryname-soversion instead.

+

+ To determine the soversion, look at + the SONAME of the library, stored in the + ELF SONAME attribute. It is usually of the + form name.so.major-version (for + example, libz.so.1). The version part is the part + which comes after .so., so in that example it + is 1. The soname may instead be of the + form name-major-version.so, such + as libdb-5.1.so, in which case the name would + be libdb and the version would be 5.1. +

+

If you have several shared libraries built from the same source tree, you may lump them all together into a single shared @@ -5538,9 +5751,8 @@ Replaces: mail-transport-agent linked against the old shared library. Correct versioning of dependencies on the newer shared library by binaries that use the new interfaces is handled via - the shlibs - system or via symbols files (see - ). + the symbols + or shlibs system.

@@ -5809,361 +6021,890 @@ Replaces: mail-transport-agent

- - Dependencies between the library and other packages - - the shlibs system + + Dependencies between the library and other + packages

If a package contains a binary or library which links to a - shared library, we must ensure that when the package is - installed on the system, all of the libraries needed are - also installed. This requirement led to the creation of the - shlibs system, which is very simple in its design: - any package which provides a shared library also - provides information on the package dependencies required to - ensure the presence of this library, and any package which - uses a shared library uses this information to - determine the dependencies it requires. The files which - contain the mapping from shared libraries to the necessary - dependency information are called shlibs files. -

- -

- When a package is built which contains any shared libraries, it - must provide a shlibs file for other packages to - use. When a package is built which contains any shared - libraries or compiled binaries, it must run - dpkg-shlibdeps - on these to determine the libraries used and hence the - dependencies needed by this package. -

+ shared library, we must ensure that, when the package is + installed on the system, all of the libraries needed are also + installed. These dependencies must be added to the binary + package when it is built, since they may change based on which + version of a shared library the binary or library was linked + with even if there are no changes to the source of the binary + (for example, symbol versions change, macros become functions or + vice versa, or the binary package may determine at compile-time + whether new library interfaces are available and can be called). + To allow these dependencies to be constructed, shared libraries + must provide either a symbols file or + a shlibs file. These provide information on the + package dependencies required to ensure the presence of + interfaces provided by this library. Any package with binaries + or libraries linking to a shared library must use these files to + determine the required dependencies when it is built. Other + packages which use a shared library (for example using + dlopen()) should compute appropriate dependencies + using these files at build time as well. +

+ +

+ The two mechanisms differ in the degree of detail that they + provide. A symbols file documents, for each symbol + exported by a library, the minimal version of the package any + binary using this symbol will need. This is typically the + version of the package in which the symbol was introduced. This + information permits detailed analysis of the symbols used by a + particular package and construction of an accurate dependency, + but it requires the package maintainer to track more information + about the shared library. +

+ +

+ A shlibs file, in contrast, only documents the last + time the library ABI changed in any way. It only provides + information about the library as a whole, not individual + symbols. When a package is built using a shared library with + only a shlibs file, the generated dependency will + require a version of the shared library equal to or newer than + the version of the last ABI change. This generates + unnecessarily restrictive dependencies compared + to symbols files if none of the symbols used by the + package have changed. This, in turn, may make upgrades + needlessly complex and unnecessarily restrict use of the package + on systems with older versions of the shared libraries. +

+ +

+ shlibs files also only support a limited range of + library SONAMEs, making it difficult to use shlibs + files in some unusual corner cases. + A shlibs file represents an SONAME as a library + name and version number, such as libfoo VERSION, + instead of recording the actual SONAME. If the SONAME doesn't + match one of the two expected formats + (libfoo-VERSION.so or libfoo.so.VERSION), it + cannot be represented. + +

+ +

+ symbols files are therefore recommended for most + shared library packages since they provide more accurate + dependencies. For most C libraries, the additional detail + required by symbols files is not too difficult to + maintain. However, maintaining exhaustive symbols information + for a C++ library can be quite onerous, so shlibs + files may be more appropriate for most C++ libraries. Libraries + with a corresponding udeb must also provide + a shlibs file, since the udeb infrastructure does + not use symbols files. +

+ + + Generating dependencies on shared libraries + +

+ When a package that contains any shared libraries or compiled + binaries is built, it must run dpkg-shlibdeps on + each shared library and compiled binary to determine the + libraries used and hence the dependencies needed by the + package. dpkg-shlibdeps will use a program like objdump or readelf to find - the libraries directly needed by the binaries or shared - libraries in the package. + the libraries and the symbols in those libraries directly + needed by the binaries or shared libraries in the package. + + To do this, put a call to dpkg-shlibdeps into + your debian/rules file in the source package. + List all of the compiled binaries, libraries, or loadable + modules in your package. + The easiest way to call dpkg-shlibdeps + correctly is to use a package helper framework such + as debhelper. If you are + using debhelper, + the dh_shlibdeps program will do this work for + you. It will also correctly handle multi-binary packages. + + dpkg-shlibdeps will use the symbols + or shlibs files installed by the shared libraries + to generate dependency information. The package must then + provide a substitution variable into which the discovered + dependency information can be placed. +

+ +

+ If you are creating a udeb for use in the Debian Installer, + you will need to specify that dpkg-shlibdeps + should use the dependency line of type udeb by adding + the -tudeb option + dh_shlibdeps from the debhelper suite + will automatically add this option if it knows it is + processing a udeb. + . If there is no dependency line of + type udeb in the shlibs + file, dpkg-shlibdeps will fall back to the + regular dependency line. +

+ +

+ dpkg-shlibdeps puts the dependency information + into the debian/substvars file by default, which + is then used by dpkg-gencontrol. You will need + to place a ${shlibs:Depends} variable in + the Depends field in the control file of every binary + package built by this source package that contains compiled + binaries, libraries, or loadable modules. If you have + multiple binary packages, you will need to + call dpkg-shlibdeps on each one which contains + compiled libraries or binaries. For example, you could use + the -T option to the dpkg utilities to + specify a different substvars file for each + binary package. + Again, dh_shlibdeps + and dh_gencontrol will handle everything except + the addition of the variable to the control file for you if + you're using debhelper, including + generating separate substvars files for each + binary package and calling dpkg-gencontrol with + the appropriate flags. + +

+ +

+ For more details on dpkg-shlibdeps, + see . +

+ +

+ We say that a binary foo directly uses a + library libbar if it is explicitly linked with that + library (that is, the library is listed in the + ELF NEEDED attribute, caused by adding -lbar + to the link line when the binary is created). Other libraries + that are needed by libbar are + linked indirectly to foo, and the dynamic + linker will load them automatically when it + loads libbar. A package should depend on the + libraries it directly uses, but not the libraries it only uses + indirectly. The dependencies for the libraries used + directly will automatically pull in the indirectly-used + libraries. dpkg-shlibdeps will handle this logic + automatically, but package maintainers need to be aware of + this distinction between directly and indirectly using a + library if they have to override its results for some reason. + + A good example of where this helps is the following. We + could update libimlib with a new version that + supports a new revision of a graphics format called dgf (but + retaining the same major version number) and depends on a + new library package libdgf4 instead of + the older libdgf3. If we + used ldd to add dependencies for every library + directly or indirectly linked with a binary, every package + that uses libimlib would need to be recompiled so + it would also depend on libdgf4 in order + to retire the older libdgf3 package. + Since dependencies are only added based on + ELF NEEDED attribute, packages + using libimlib can rely on libimlib itself + having the dependency on an appropriate version + of libdgf and do not need rebuilding. + +

+ + + + Shared library ABI changes + +

+ Maintaining a shared library package using + either symbols or shlibs files + requires being aware of the exposed ABI of the shared library + and any changes to it. Both symbols + and shlibs files record every change to the ABI + of the shared library; symbols files do so per + public symbol, whereas shlibs files record only + the last change for the entire library. +

+ +

+ There are two types of ABI changes: ones that are + backward-compatible and ones that are not. An ABI change is + backward-compatible if any reasonable program or library that + was linked with the previous version of the shared library + will still work correctly with the new version of the shared + library. + An example of an "unreasonable" program is one that uses + library interfaces that are documented as internal and + unsupported. If the only programs or libraries affected by + a change are "unreasonable" ones, other techniques, such as + declaring Breaks relationships with affected + packages or treating their usage of the library as bugs in + those packages, may be appropriate instead of changing the + SONAME. However, the default approach is to change the + SONAME for any change to the ABI that could break a program. + + Adding new symbols to the shared library is a + backward-compatible change. Removing symbols from the shared + library is not. Changing the behavior of a symbol may or may + not be backward-compatible depending on the change; for + example, changing a function to accept a new enum constant not + previously used by the library is generally + backward-compatible, but changing the members of a struct that + is passed into library functions is generally not unless the + library takes special precautions to accept old versions of + the data structure. +

+ +

+ ABI changes that are not backward-compatible normally require + changing the SONAME of the library and therefore the + shared library package name, which forces rebuilding all + packages using that shared library to update their + dependencies and allow them to use the new version of the + shared library. For more information, + see . The remainder of this + section will deal with backward-compatible changes. +

+ +

+ Backward-compatible changes require either updating or + recording the minimal-version for that symbol + in symbols files or updating the version in + the dependencies in shlibs files. For + more information on how to do this in the two formats, see + and . Below are general + rules that apply to both files. +

+ +

+ The easy case is when a public symbol is added. Simply add + the version at which the symbol was introduced + (for symbols files) or update the dependency + version (for shlibs) files. But special care + should be taken to update dependency versions when the + behavior of a public symbol changes. This is easy to neglect, + since there is no automated method of determining such + changes, but failing to update versions in this case may + result in binary packages with too-weak dependencies that will + fail at runtime, possibly in ways that can cause security + vulnerabilities. If the package maintainer believes that a + symbol behavior change may have occurred but isn't sure, it's + safer to update the version rather than leave it unmodified. + This may result in unnecessarily strict dependencies, but it + ensures that packages whose dependencies are satisfied will + work properly. +

+ +

+ A common example of when a change to the dependency version + is required is a function that takes an enum or struct + argument that controls what the function does. For example: + + enum library_op { OP_FOO, OP_BAR }; + int library_do_operation(enum library_op); + + If a new operation, OP_BAZ, is added, + the minimal-version + of library_do_operation (for symbols + files) or the version in the dependency for the shared library + (for shlibs files) must be increased to the + version at which OP_BAZ was introduced. Otherwise, a + binary built against the new version of the library (having + detected at compile-time that the library + supports OP_BAZ) may be installed with a shared + library that doesn't support OP_BAZ and will fail at + runtime when it tries to pass OP_BAZ into this + function. +

+ +

+ Dependency versions in either symbols + or shlibs files normally should not contain the + Debian revision of the package, since the library behavior is + normally fixed for a particular upstream version and any + Debian packaging of that upstream version will have the same + behavior. In the rare case that the library behavior was + changed in a particular Debian revision, appending ~ + to the end of the version that includes the Debian revision is + recommended, since this allows backports of the shared library + package using the normal backport versioning convention to + satisfy the dependency. +

+ + + + The symbols system + +

+ In the following sections, we will first describe where the + various symbols files are to be found, then + the symbols file format, and finally how to + create symbols files if your package contains a + shared library. +

+ + + The symbols files present on the + system + +

+ symbols files for a shared library are normally + provided by the shared library package as a control file, + but there are several override paths that are checked first + in case that information is wrong or missing. The following + list gives them in the order in which they are read + by dpkg-shlibdeps The first one that contains + the required information is used. + + +

debian/*/DEBIAN/symbols

+ +

+ During the package build, if the package itself + contains shared libraries with symbols + files, they will be generated in these staging + directories by dpkg-gensymbols + (see ). symbols + files found in the build tree take precedence + over symbols files from other binary + packages. +

+ +

+ These files must exist + before dpkg-shlibdeps is run or the + dependencies of binaries and libraries from a source + package on other libraries from that same source + package will not be correct. In practice, this means + that dpkg-gensymbols must be run + before dpkg-shlibdeps during the package + build. + An example may clarify. Suppose the source + package foo generates two binary + packages, libfoo2 and foo-runtime. + When building the binary packages, the contents of + the packages are staged in the + directories debian/libfoo2 + and debian/foo-runtime respectively. + (debian/tmp could be used instead of + one of these.) Since libfoo2 provides + the libfoo shared library, it will contain + a symbols file, which will be installed + in debian/libfoo2/DEBIAN/symbols, + eventually to be included as a control file in that + package. When dpkg-shlibdeps is run on + the + executable debian/foo-runtime/usr/bin/foo-prog, + it will examine + the debian/libfoo2/DEBIAN/symbols file + to determine whether foo-prog's library + dependencies are satisfied by any of the libraries + provided by libfoo2. Since those binaries + were linked against the just-built shared library as + part of the build process, the symbols + file for the newly-built libfoo2 must take + precedence over a symbols file for any + other libfoo2 package already installed on + the system. + +

+ + + +

+ /etc/dpkg/symbols/package.symbols.arch + and /etc/dpkg/symbols/package.symbols +

+ +

+ Per-system overrides of shared library dependencies. + These files normally do not exist. They are + maintained by the local system administrator and must + not be created by any Debian package. +

+ + + +

symbols control files for packages + installed on the system

+ +

+ The symbols control files for all the + packages currently installed on the system are + searched last. This will be the most common source of + shared library dependency information. These are + normally found + in /var/lib/dpkg/info/*.symbols, but + packages should not rely on this and instead should + use dpkg-query --control-path package + symbols if for some reason these files need to be + examined. +

+ +

- We say that a binary foo directly uses - a library libbar if it is explicitly linked - with that library (that is, the library is listed in the ELF - NEEDED attribute, caused by adding -lbar - to the link line when the binary is created). Other - libraries that are needed by libbar are linked - indirectly to foo, and the dynamic - linker will load them automatically when it loads - libbar. A package should depend on the libraries - it directly uses, but not the libraries it indirectly uses. - The dependencies for those libraries will automatically pull - in the other libraries. + Be aware that if a debian/shlibs.local exists + in the source package, it will override + any symbols files. This is the only case where + a shlibs is used despite symbols + files being present. See + and for more information.

+ + + + The symbols File Format

- A good example of where this helps is the following. We - could update libimlib with a new version that - supports a new graphics format called dgf (but retaining the - same major version number) and depends on libdgf. - If we used ldd to add dependencies for every - library directly or indirectly linked with a binary, every - package that uses libimlib would need to be - recompiled so it would also depend on libdgf or it - wouldn't run due to missing symbols. Since dependencies are - only added based on ELF NEEDED attribute, packages - using libimlib can rely on libimlib itself - having the dependency on libdgf and so they would - not need rebuilding. + The following documents the format of + the symbols control file as included in binary + packages. These files are built from + template symbols files in the source package + by dpkg-gensymbols. The template files support + a richer syntax that allows dpkg-gensymbols to + do some of the tedious work involved in + maintaining symbols files, such as handling C++ + symbols or optional symbols that may not exist on particular + architectures. When writing symbols files for + a shared library package, refer + to for the + richer syntax.

- -

-

- In the following sections, we will first describe where the - various shlibs files are to be found, then how to - use dpkg-shlibdeps, and finally the shlibs - file format and how to create them if your package contains a - shared library. -

+

+ A symbols may contain one or more entries, one + for each shared library contained in the package + corresponding to that symbols. Each entry has + the following format: +

- - The shlibs files present on the system +

+ + library-soname main-dependency-template + [| alternative-dependency-template] + [...] + [* field-name: field-value] + [...] + symbol minimal-version[ id-of-dependency-template ] + +

-

- There are several places where shlibs files are - found. The following list gives them in the order in which - they are read by - dpkg-shlibdeps. - (The first one which gives the required information is used.) -

+

+ To explain this format, we'll use the the zlib1g + package as an example, which (at the time of writing) + installs the shared + library /usr/lib/libz.so.1.2.3.4. Mandatory + lines will be described first, followed by optional lines. +

-

- - -

debian/shlibs.local

+

+ library-soname must contain exactly the value of + the ELF SONAME attribute of the shared library. In + our example, this is libz.so.1. + This can be determined by using the command + + readelf -d /usr/lib/libz.so.1.2.3.4 | grep SONAME + + +

-

- This lists overrides for this package. This file should - normally not be used, but may be needed temporarily in - unusual situations to work around bugs in other packages, - or in unusual cases where the normally declared dependency - information in the installed shlibs file for - a library cannot be used. This file overrides information - obtained from any other source. -

- +

+ main-dependency-template has the same syntax as a + dependency field in a binary package control file, except + that the string #MINVER# is replaced by a version + restriction like (>= version) or by + nothing if an unversioned dependency is deemed sufficient. + The version restriction will be based on which symbols from + the shared library are referenced and the version at which + they were introduced (see below). In nearly all + cases, main-dependency-template will + be package #MINVER#, + where package is the name of the binary package + containing the shared library. This adds a simple, + possibly-versioned dependency on the shared library package. + In some rare cases, such as when multiple packages provide + the same shared library ABI, the dependency template may + need to be more complex. +

- -

/etc/dpkg/shlibs.override

+

+ In our example, the first line of + the zlib1g symbols file would be: + + libz.so.1 zlib1g #MINVER# + +

-

- This lists global overrides. This list is normally - empty. It is maintained by the local system - administrator. -

- +

+ Each public symbol exported by the shared library must have + a corresponding symbol line, indented by one + space. symbol is the exported symbol (which, for + C++, means the mangled symbol) followed by @ and + the symbol version, or the string Base if there is + no symbol version. minimal-version is the most + recent version of the shared library that changed the + behavior of that symbol, whether by adding it, changing its + function signature (the parameters, their types, or the + return type), or changing its behavior in a way that is + visible to a caller. + id-of-dependency-template is an optional + field that references + an alternative-dependency-template; see below for + a full description. +

- -

DEBIAN/shlibs files in the "build directory"

+

+ For example, libz.so.1 contains the + symbols compress + and compressBound. compress has no symbol + version and last changed its behavior in upstream + version 1:1.1.4. compressBound has the + symbol version ZLIB_1.2.0, was introduced in + upstream version 1:1.2.0, and has not changed its + behavior. Its symbols file therefore contains + the lines: + + compress@Base 1:1.1.4 + compressBound@ZLIB_1.2.0 1:1.2.0 + + Packages using only compress would then get a + dependency on zlib1g (>= 1:1.1.4), but packages + using compressBound would get a dependency + on zlib1g (>= 1:1.2.0). +

-

- When packages are being built, - any debian/shlibs files are copied into the - control information file area of the temporary build - directory and given the name shlibs. These - files give details of any shared libraries included in the - same package. - An example may help here. Let us say that the source - package foo generates two binary - packages, libfoo2 and foo-runtime. - When building the binary packages, the two packages are - created in the directories debian/libfoo2 - and debian/foo-runtime respectively. - (debian/tmp could be used instead of one of - these.) Since libfoo2 provides the - libfoo shared library, it will require a - shlibs file, which will be installed in - debian/libfoo2/DEBIAN/shlibs, eventually to - become /var/lib/dpkg/info/libfoo2.shlibs. - When dpkg-shlibdeps is run on the - executable debian/foo-runtime/usr/bin/foo-prog, - it will examine - the debian/libfoo2/DEBIAN/shlibs file to - determine whether foo-prog's library - dependencies are satisfied by any of the libraries - provided by libfoo2. For this reason, - dpkg-shlibdeps must only be run once all of - the individual binary packages' shlibs files - have been installed into the build directory. - -

- +

+ One or more alternative-dependency-template lines + may be provided. These are used in cases where some symbols + in the shared library should use one dependency template + while others should use a different template. The + alternative dependency templates are used only if a symbol + line contains the id-of-dependency-template + field. The first alternative dependency template is + numbered 1, the second 2, and so forth. + An example of where this may be needed is with a library + that implements the libGL interface. All GL + implementations provide the same set of base interfaces, + and then may provide some additional interfaces only used + by programs that require that specific GL implementation. + So, for example, libgl1-mesa-glx may use the + following symbols file: + + libGL.so.1 libgl1 + | libgl1-mesa-glx #MINVER# + publicGlSymbol@Base 6.3-1 + [...] + implementationSpecificSymbol@Base 6.5.2-7 1 + [...] + + Binaries or shared libraries using + only publicGlSymbol would depend only + on libgl1 (which may be provided by multiple + packages), but ones + using implementationSpecificSymbol would get a + dependency on libgl1-mesa-glx (>= 6.5.2-7) + +

- -

/var/lib/dpkg/info/*.shlibs

+

+ Finally, the entry for the library may contain one or more + metadata fields. Currently, the only + supported field-name + is Build-Depends-Package, whose value lists + the library development + package on which packages using this shared library + declare a build dependency. If this field is + present, dpkg-shlibdeps uses it to ensure that + the resulting binary package dependency on the shared + library is at least as strict as the source package + dependency on the shared library development + package. + This field should normally not be necessary, since if the + behavior of any symbol has changed, the corresponding + symbol minimal-version should have been + increased. But including it makes the symbols + system more robust by tightening the dependency in cases + where the package using the shared library specifically + requires at least a particular version of the shared + library development package for some reason. + + For our example, the zlib1g symbols + file would contain: + + * Build-Depends-Package: zlib1g-dev + +

-

- These are the shlibs files corresponding to - all of the packages installed on the system, and are - maintained by the relevant package maintainers. -

- +

+ Also see . +

+ - -

/etc/dpkg/shlibs.default

+ + Providing a symbols file -

- This file lists any shared libraries whose packages - have failed to provide correct shlibs files. - It was used when the shlibs setup was first - introduced, but it is now normally empty. It is - maintained by the dpkg maintainer. -

- - -

- +

+ If your package provides a shared library, you should + arrange to include a symbols control file + following the format described above in that package. You + must include either a symbols control file or + a shlibs control file. +

- - How to use dpkg-shlibdeps and the - shlibs files +

+ Normally, this is done by creating a symbols in + the source package + named debian/package.symbols + or debian/symbols, possibly + with .arch appended if the symbols + information varies by architecture. This file may use the + extended syntax documented in . Then, call dpkg-gensymbols as + part of the package build process. It will + create symbols files in the package staging + area based on the binaries and libraries in the package + staging area and the symbols files in the + source package. + If you are + using debhelper, dh_makeshlibs will + take care of calling either dpkg-gensymbols + or generating a shlibs file as appropriate. + +

-

- Put a call to - dpkg-shlibdeps - into your debian/rules file. If your package - contains only compiled binaries and libraries (but no scripts), - you can use a command such as: - -dpkg-shlibdeps debian/tmp/usr/bin/* debian/tmp/usr/sbin/* \ - debian/tmp/usr/lib/* - - Otherwise, you will need to explicitly list the compiled - binaries and libraries. - If you are using debhelper, the - dh_shlibdeps program will do this work for you. - It will also correctly handle multi-binary packages. - -

+

+ Packages that provide symbols files must keep + them up-to-date to ensure correct dependencies in packages + that use the shared libraries. This means updating + the symbols file whenever a new public symbol + is added, changing the minimal-version field + whenever a symbol changes behavior or signature in a + backward-compatible way (see ), + and changing the library-soname + and main-dependency-template, and probably all of + the minimal-version fields, when the library + changes SONAME. Removing a public symbol from + the symbols file because it's no longer + provided by the library normally requires changing + the SONAME of the library. + See for more information + on SONAMEs. +

+ + -

- This command puts the dependency information into the - debian/substvars file, which is then used by - dpkg-gencontrol. You will need to place a - ${shlibs:Depends} variable in the Depends - field in the control file for this to work. -

+ + The shlibs system -

- If you have multiple binary packages, you will need to call - dpkg-shlibdeps on each one which contains - compiled libraries or binaries. In such a case, you will - need to use the -T option to the dpkg - utilities to specify a different substvars file. -

+

+ The shlibs system is a simpler alternative to + the symbols system for declaring dependencies for + shared libraries. It may be more appropriate for C++ + libraries and other cases where tracking individual symbols is + too difficult. It predated the symbols system and is + therefore frequently seen in older packages. It is also + required for udebs, which do not support symbols. +

-

- If you are creating a udeb for use in the Debian Installer, - you will need to specify that dpkg-shlibdeps - should use the dependency line of type udeb by - adding the -tudeb option - dh_shlibdeps from the debhelper suite - will automatically add this option if it knows it is - processing a udeb. - . If there is no dependency line of - type udeb in the shlibs - file, dpkg-shlibdeps will fall back to the regular - dependency line. -

+

+ In the following sections, we will first describe where the + various shlibs files are to be found, then how to + use dpkg-shlibdeps, and finally + the shlibs file format and how to create them. +

-

- For more details on dpkg-shlibdeps, please see - and - . -

- + + The shlibs files present on the + system - - The shlibs File Format +

+ There are several places where shlibs files are + found. The following list gives them in the order in which + they are read by dpkg-shlibdeps. (The first + one which gives the required information is used.) + + +

debian/shlibs.local

+ +

+ This lists overrides for this package. This file + should normally not be used, but may be needed + temporarily in unusual situations to work around bugs + in other packages, or in unusual cases where the + normally declared dependency information in the + installed shlibs file for a library + cannot be used. This file overrides information + obtained from any other source. +

+ -

- Each shlibs file has the same format. Lines - beginning with # are considered to be comments and - are ignored. Each line is of the form: - -[type: ]library-name soname-version dependencies ... - -

+ +

/etc/dpkg/shlibs.override

-

- We will explain this by reference to the example of the - zlib1g package, which (at the time of writing) - installs the shared library /usr/lib/libz.so.1.1.3. -

+

+ This lists global overrides. This list is normally + empty. It is maintained by the local system + administrator. +

+ -

- type is an optional element that indicates the type - of package for which the line is valid. The only type currently - in use is udeb. The colon and space after the type are - required. -

+ +

DEBIAN/shlibs files in the "build + directory"

+ +

+ These files are generated as part of the package build + process and staged for inclusion as control files in + the binary packages being built. They provide details + of any shared libraries included in the same package. +

+ -

- library-name is the name of the shared library, - in this case libz. (This must match the name part - of the soname, see below.) -

+ +

shlibs control files for packages + installed on the system

+ +

+ The shlibs control files for all the + packages currently installed on the system. These are + normally found + in /var/lib/dpkg/info/*.shlibs, but + packages should not rely on this and instead should + use dpkg-query --control-path package + shlibs if for some reason these files need to be + examined. +

+ -

- soname-version is the version part of the soname of - the library. The soname is the thing that must exactly match - for the library to be recognized by the dynamic linker, and is - usually of the form - name.so.major-version, in our - example, libz.so.1. - This can be determined using the command - -objdump -p /usr/lib/libz.so.1.1.3 | grep SONAME - - - The version part is the part which comes after - .so., so in our case, it is 1. The soname may - instead be of the form - name-major-version.so, such - as libdb-4.8.so, in which case the name would - be libdb and the version would be 4.8. -

+ +

/etc/dpkg/shlibs.default

+ +

+ This file lists any shared libraries whose packages + have failed to provide correct shlibs + files. It was used when the shlibs setup + was first introduced, but it is now normally empty. + It is maintained by the dpkg maintainer. +

+ + +

-

- dependencies has the same syntax as a dependency - field in a binary package control file. It should give - details of which packages are required to satisfy a binary - built against the version of the library contained in the - package. See for details. -

+

+ If a symbols file for a shared library package + is available, dpkg-shlibdeps will always use it + in preference to a shlibs, with the exception + of debian/shlibs.local. The latter overrides + any other shlibs or symbols files. +

+ -

- In our example, if the first version of the zlib1g - package which contained a minor number of at least - 1.3 was 1:1.1.3-1, then the - shlibs entry for this library could say: - -libz 1 zlib1g (>= 1:1.1.3) - - The version-specific dependency is to avoid warnings from - the dynamic linker about using older shared libraries with - newer binaries. -

+ + The shlibs File Format -

- As zlib1g also provides a udeb containing the shared library, - there would also be a second line: - -udeb: libz 1 zlib1g-udeb (>= 1:1.1.3) - -

- +

+ Each shlibs file has the same format. Lines + beginning with # are considered to be comments and + are ignored. Each line is of the form: + + [type: ]library-name soname-version dependencies ... + +

- - Providing a shlibs file +

+ We will explain this by reference to the example of the + zlib1g package, which (at the time of writing) + installs the shared + library /usr/lib/libz.so.1.2.3.4. +

-

- If your package provides a shared library, you need to create - a shlibs file following the format described above. - It is usual to call this file debian/shlibs (but if - you have multiple binary packages, you might want to call it - debian/shlibs.package instead). Then - let debian/rules install it in the control - information file area: - -install -m644 debian/shlibs debian/tmp/DEBIAN - - or, in the case of a multi-binary package: - -install -m644 debian/shlibs.package debian/package/DEBIAN/shlibs - - An alternative way of doing this is to create the - shlibs file in the control information file area - directly from debian/rules without using - a debian/shlibs file at all, - This is what dh_makeshlibs in - the debhelper suite does. If your package - also has a udeb that provides a shared - library, dh_makeshlibs can automatically generate - the udeb: lines if you specify the name of the udeb - with the --add-udeb option. - - since the debian/shlibs file itself is ignored by - dpkg-shlibdeps. -

+

+ type is an optional element that indicates the + type of package for which the line is valid. The only type + currently in use is udeb. The colon and space + after the type are required. +

-

- As dpkg-shlibdeps reads the - DEBIAN/shlibs files in all of the binary packages - being built from this source package, all of the - DEBIAN/shlibs files should be installed before - dpkg-shlibdeps is called on any of the binary - packages. -

- +

+ library-name is the name of the shared library, + in this case libz. (This must match the name part + of the soname, see below.) +

+ +

+ soname-version is the version part of the + ELF SONAME attribute of the library, determined the + same way that the soversion component of the + recommended shared library package name is determined. + See for the details. +

+ +

+ dependencies has the same syntax as a dependency + field in a binary package control file. It should give + details of which packages are required to satisfy a binary + built against the version of the library contained in the + package. See for details on the + syntax, and for details on how + to maintain the dependency version constraint. +

+ +

+ In our example, if the last change to the zlib1g + package that could change behavior for a client of that + library was in version 1:1.2.3.3.dfsg-1, then + the shlibs entry for this library could say: + + libz 1 zlib1g (>= 1:1.2.3.3.dfsg) + + This version restriction must be new enough that any binary + built against the current version of the library will work + with any version of the shared library that satisfies that + dependency. +

+ +

+ As zlib1g also provides a udeb containing the shared + library, there would also be a second line: + + udeb: libz 1 zlib1g-udeb (>= 1:1.2.3.3.dfsg) + +

+ + + + Providing a shlibs file + +

+ To provide a shlibs file for a shared library + binary package, create a shlibs file following + the format described above and place it in + the DEBIAN directory for that package during + the build. It will then be included as a control file for + that package + This is what dh_makeshlibs in + the debhelper suite does. If your + package also has a udeb that provides a shared + library, dh_makeshlibs can automatically + generate the udeb: lines if you specify the name + of the udeb with the --add-udeb option. + . +

+ +

+ Since dpkg-shlibdeps reads + the DEBIAN/shlibs files in all of the binary + packages being built from this source package, all of + the DEBIAN/shlibs files should be installed + before dpkg-shlibdeps is called on any of the + binary packages. +

+ + @@ -6185,6 +6926,20 @@ install -m644 debian/shlibs.package debian/package/DEBIAN/ exceptions to the FHS apply: + +

+ The FHS requirement that architecture-independent + application-specific static files be located in + /usr/share is relaxed to a suggestion. + + In particular, a subdirectory of /usr/lib may + be used by a package (or a collection of packages) to hold a + mixture of architecture-independent and + architecture-dependent files. However, when a directory is + entirely composed of architecture-independent files, it + should be located in /usr/share. +

+

The optional rules related to user specific @@ -6226,8 +6981,18 @@ install -m644 debian/shlibs.package debian/package/DEBIAN/ This is necessary in order to reserve the directories for use in cross-installation of library packages from other - architectures, as part of the planned deployment of - multiarch. + architectures, as part of multiarch. + +

+

+ The requirement for C and C++ headers files to be + accessible through the search path + /usr/include/ is amended, permitting files to + be accessible through the search path + /usr/include/triplet where + triplet is as above. + This is necessary for architecture-dependant headers + file to coexist in a multiarch setup.

@@ -6281,16 +7046,36 @@ install -m644 debian/shlibs.package debian/package/DEBIAN/ in /run should be stored on a temporary file system.

+

+ Packages must not assume the /run + directory exists or is usable without a dependency + on initscripts (>= 2.88dsf-13.3) until the + stable release of Debian supports /run. +

- + +

+ The /sys directory in the root filesystem is + additionally allowed. This directory is used as + mount point to mount virtual filesystems to get access to + kernel information. +

+ +

- The following directories in the root filesystem are - additionally allowed: /sys and - /selinux. These directories - are used as mount points to mount virtual filesystems - to get access to kernel information. + The /var/www directory is additionally allowed.

- + + +

+ The requirement for /usr/local/lib<qual> + to exist if /lib<qual> or + /usr/lib<qual> exists (where + lib<qual> is a variant of + lib such as lib32 or + lib64) is removed. +

+

On GNU/Hurd systems, the following additional @@ -6571,6 +7356,35 @@ rmdir /usr/local/share/emacs 2>/dev/null || true 65535: + +

+ This value must not be used, because it was + the error return sentinel value when uid_t + was 16 bits. +

+ + + 65536-4294967293: + +

+ Dynamically allocated user accounts. By + default adduser will not allocate UIDs + and GIDs in this range, to ease compatibility with + legacy systems where uid_t is still 16 + bits. +

+ + + 4294967294: + +

+ (uid_t)(-2) == (gid_t)(-2) must not be + used, because it is used as the anonymous, unauthenticated + user by some NFS implementations. +

+ + + 4294967295:

(uid_t)(-1) == (gid_t)(-1) must @@ -7369,33 +8183,28 @@ Reloading description configuration...done.

- Packages which provide the ability to view/show/play, - compose, edit or print MIME types should register themselves - as such following the current MIME support policy. + Packages which provide programs to view/show/play, compose, edit or + print MIME types should register them as such by placing a file in + format (RFC 1524) in the directory + /usr/lib/mime/packages/. The file name should be the + binary package's name.

The mime-support package provides the - update-mime program which allows packages to - register programs that can show, compose, edit or print - MIME types. -

- -

- Packages containing such programs must register them - with update-mime as documented in . They should not depend - on, recommend, or suggest mime-support. Instead, - they should just put something like the following in the - postinst and postrm scripts: - - - if [ -x /usr/sbin/update-mime ]; then - update-mime - fi - + update-mime program, which integrates these + registrations in the /etc/mailcap file, using dpkg + triggers + Creating, modifying or removing a file in + /usr/lib/mime/packages/ using maintainer scripts will + not activate the trigger. In that case, it can be done by calling + dpkg-trigger --no-await /usr/lib/mime/packages from + the maintainer script after creating, modifying, or removing + the file. + . + Packages using this facility should not depend on, + recommend, or suggest mime-support.

- @@ -7609,6 +8418,74 @@ exec /usr/lib/foo/foo "$@"

+ + Alternate init systems +

+ A number of other init systems are available now in Debian that + can be used in place of sysvinit. Alternative + init implementations must support running SysV init scripts as + described at for compatibility. +

+

+ Packages may integrate with these replacement init systems by + providing implementation-specific configuration information about + how and when to start a service or in what order to run certain + tasks at boot time. However, any package integrating with other + init systems must also be backwards-compatible with + sysvinit by providing a SysV-style init script + with the same name as and equivalent functionality to any + init-specific job, as this is the only start-up configuration + method guaranteed to be supported by all init implementations. An + exception to this rule is scripts or jobs provided by the init + implementation itself; such jobs may be required for an + implementation-specific equivalent of the /etc/rcS.d/ + scripts and may not have a one-to-one correspondence with the init + scripts. +

+ + Event-based boot with upstart + +

+ Packages may integrate with the upstart event-based + boot system by installing job files in the + /etc/init directory. SysV init scripts for which + an equivalent upstart job is available must query the output of + the command initctl version for the string + upstart and avoid running in favor of the native + upstart job, using a test such as this: + +if [ "$1" = start ] && which initctl >/dev/null && initctl version | grep -q upstart +then + exit 1 +fi + +

+

+ Because packages shipping upstart jobs may be installed on + systems that are not using upstart, maintainer scripts must + still use the common update-rc.d and + invoke-rc.d interfaces for configuring runlevels + and for starting and stopping services. These maintainer + scripts must not call the upstart start, + restart, reload, or stop + interfaces directly. Instead, implementations of + invoke-rc.d must detect when upstart is running and + when an upstart job with the same name as an init script is + present, and perform the requested action using the upstart job + instead of the init script. +

+

+ Dependency-based boot managers for SysV init scripts, such as + startpar, may avoid running a given init script + entirely when an equivalent upstart job is present, to avoid + unnecessary forking of no-op init scripts. In this case, the + boot manager should integrate with upstart to detect when the + upstart job in question is started or stopped to know when the + dependency has been satisfied. +

+ + + @@ -7631,7 +8508,17 @@ exec /usr/lib/foo/foo "$@" renamed. If a consensus cannot be reached, both programs must be renamed.

- +

+ Binary executables must not be statically linked with the GNU C + library, since this prevents the binary from benefiting from + fixes and improvements to the C library without being rebuilt + and complicates security updates. This requirement may be + relaxed for binary executables whose intended purpose is to + diagnose and fix the system in situations where the GNU C + library may not be usable (such as system recovery shells or + utilities like ldconfig) or for binary executables where the + security benefits of static linking outweigh the drawbacks. +

By default, when a package is being built, any binaries created should include debugging information, as well as @@ -7760,8 +8647,9 @@ INSTALL = install -s # (or use strip on the files in debian/tmp) Although not enforced by the build tools, shared libraries must be linked against all libraries that they use symbols from in the same way that binaries are. This ensures the correct - functioning of the shlibs - system and guarantees that all libraries can be safely opened + functioning of the symbols + and shlibs + systems and guarantees that all libraries can be safely opened with dlopen(). Packagers may wish to use the gcc option -Wl,-z,defs when building a shared library. Since this option enforces symbol resolution at build time, @@ -7980,9 +8868,10 @@ fname () { as its interpreter. Checking your script with checkbashisms from the devscripts package or running your script - with posh may help uncover violations of the above - requirements. If in doubt whether a script complies with these - requirements, use /bin/bash. + with an alternate shell such as posh may help + uncover violations of the above requirements. If in doubt + whether a script complies with these requirements, + use /bin/bash.

@@ -8038,6 +8927,7 @@ fname () { would point to /srv/run rather than the intended target. + Symbolic links must not traverse above the root directory.

@@ -8070,7 +8960,9 @@ ln -fs ../sbin/sendmail debian/tmp/usr/bin/runq

- A symbolic link pointing to a compressed file should always + A symbolic link pointing to a compressed file (in the sense + that it is meant to be uncompressed with unzip + or zless etc.) should always have the same file extension as the referenced file. (For example, if a file foo.gz is referenced by a symbolic link, the filename of the link has to end with @@ -8204,8 +9096,10 @@ ln -fs ../sbin/sendmail debian/tmp/usr/bin/runq package is purged. - Obsolete configuration files without local changes may be - removed by the package during upgrade. + Obsolete configuration files without local changes should be + removed by the package during upgrade. + The dpkg-maintscript-helper tool, available from the + dpkg package, can help for this task.

@@ -8688,6 +9582,23 @@ done

+ + + File names + +

+ The name of the files installed by binary packages in the system PATH + (namely /bin, /sbin, /usr/bin, + /usr/sbin and /usr/games) must be encoded in + ASCII. +

+ +

+ The name of the files and directories installed by binary packages + outside the system PATH must be encoded in UTF-8 and should be + restricted to ASCII when it is possible to do so. +

+ @@ -8874,36 +9785,20 @@ done Cgi-bin executable files are installed in the directory -/usr/lib/cgi-bin/cgi-bin-name +/usr/lib/cgi-bin - or a subdirectory of that directory, and should be - referred to as + or a subdirectory of that directory, and the script -http://localhost/cgi-bin/cgi-bin-name +/usr/lib/cgi-bin/.../cgi-bin-name - (possibly with a subdirectory name - before cgi-bin-name). - - - -

Access to HTML documents

- -

- HTML documents for a package are stored in - /usr/share/doc/package - and can be referred to as + should be referred to as -http://localhost/doc/package/filename +http://localhost/cgi-bin/.../cgi-bin-name -

+ -

- The web server should restrict access to the document - tree so that only clients on the same host can read - the documents. If the web server does not support such - access controls, then it should not provide access at - all, or ask about providing access during installation. -

+ +

(Deleted)

 @@ -8931,7 +9826,7 @@ http://localhost/doc/package/filename doc-base package. If access to the web document root is unavoidable then use -/var/www +/var/www/html as the Document Root. This might be just a symbolic link to the location where the system administrator @@ -9714,18 +10609,23 @@ name ["syshostname"]:

The install-info program maintains a directory of - installed info documents in /usr/share/info/dir for - the use of info readers. - It was previously necessary for packages installing info - documents to run install-info from maintainer - scripts. This is no longer necessary. The installation - system now uses dpkg triggers. - - This file must not be included in packages. Packages containing - info documents should depend on dpkg (>= 1.15.4) | - install-info to ensure that the directory file is properly - rebuilt during partial upgrades from Debian 5.0 (lenny) and - earlier. + installed info documents in /usr/share/info/dir for the + use of info readers. This file must not be included in packages + other than install-info. +

+ +

+ install-info is automatically invoked when + appropriate using dpkg triggers. Packages other than + install-info should not invoke + install-info directly and should not + depend on, recommend, or suggest install-info + for this purpose. +

+ +

+ Info readers requiring the /usr/share/info/dir file + should depend on install-info.

@@ -9762,45 +10662,77 @@ END-INFO-DIR-ENTRY

- + Additional documentation

- Any additional documentation that comes with the package may - be installed at the discretion of the package maintainer. - Plain text documentation should be installed in the directory - /usr/share/doc/package, where - package is the name of the package, and - compressed with gzip -9 unless it is small. -

+ Any additional documentation that comes with the package may be + installed at the discretion of the package maintainer. It is + often a good idea to include text information files + (READMEs, FAQs, and so forth) that come with the + source package in the binary package. However, you don't need + to install the instructions for building and installing the + package, of course! +

- If a package comes with large amounts of documentation which - many users of the package will not require you should create - a separate binary package to contain it, so that it does not - take up disk space on the machines of users who do not need - or want it installed.

+ Plain text documentation should be compressed with gzip + -9 unless it is small. +

+ +

+ If a package comes with large amounts of documentation that many + users of the package will not require, you should create a + separate binary package to contain it so that it does not take + up disk space on the machines of users who do not need or want + it installed. As a special case of this rule, shared library + documentation of any appreciable size should always be packaged + with the library development package () + or in a separate documentation package, since shared libraries + are frequently installed as dependencies of other packages by + users who have little interest in documentation of the library + itself. The documentation package for the + package package is conventionally + named package-doc + (or package-doc-language-code if there are + separate documentation packages for multiple languages). +

- It is often a good idea to put text information files - (READMEs, changelogs, and so forth) that come with - the source package in /usr/share/doc/package - in the binary package. However, you don't need to install - the instructions for building and installing the package, of - course!

+ Additional documentation included in the package should be + installed under /usr/share/doc/package. + If the documentation is packaged separately, + as package-doc for example, it may be installed under + either that path or into the documentation directory for the + separate documentation package + (/usr/share/doc/package-doc in this + example). However, installing the documentation into the + documentation directory of the main package is preferred since + it is independent of the packaging method and will be easier for + users to find. +

+ +

+ Any separate package providing documentation must still install + standard documentation files in its + own /usr/share/doc directory as specified in the + rest of this policy. See, for example, + and . +

Packages must not require the existence of any files in /usr/share/doc/ in order to function - The system administrator should be able to - delete files in /usr/share/doc/ without causing - any programs to break. - . - Any files that are referenced by programs but are also - useful as stand alone documentation should be installed under - /usr/share/package/ with symbolic links from - /usr/share/doc/package. + The system administrator should be able to delete files + in /usr/share/doc/ without causing any programs + to break. + . Any files that are used or read by programs but + are also useful as stand alone documentation should be installed + elsewhere, such as + under /usr/share/package/, and then + included via symbolic links + in /usr/share/doc/package.

@@ -9820,18 +10752,6 @@ END-INFO-DIR-ENTRY

- -

- Former Debian releases placed all additional documentation - in /usr/doc/package. This has been - changed to /usr/share/doc/package, - and packages must not put documentation in the directory - /usr/doc/package. - At this phase of the transition, we no longer require a - symbolic link in /usr/doc/. At a later point, - policy shall change to make the symbolic links a bug. - -

@@ -9842,16 +10762,16 @@ END-INFO-DIR-ENTRY via HTML.

- If your package comes with extensive documentation in a + If the package comes with extensive documentation in a markup format that can be converted to various other formats you should if possible ship HTML versions in a binary - package, in the directory - /usr/share/doc/appropriate-package or - its subdirectories. - The rationale: The important thing here is that HTML - docs should be available in some package, not - necessarily in the main binary package. + package. + Rationale: The important thing here is that HTML + documentation should be available from some + binary package. + The documentation must be installed as specified in + .

@@ -9935,6 +10855,10 @@ END-INFO-DIR-ENTRY README.Debian or some other appropriate place.

+

+ All copyright files must be encoded in UTF-8. +

+ Machine-readable copyright information @@ -10088,12 +11012,6 @@ END-INFO-DIR-ENTRY dpkg, dselect et al. and the way they interact with packages.

-

- It also documents the interaction between - dselect's core and the access method scripts it - uses to actually install the selected packages, and describes - how to create a new access method.

-

This manual does not go into detail about the options and usage of the package building and installation tools. It @@ -10103,10 +11021,7 @@ END-INFO-DIR-ENTRY

The utility programs which are provided with dpkg - for managing various system configuration and similar issues, - such as update-rc.d and - install-info, are not described in detail here - - please see their man pages. + not described in detail here, are documented in their man pages.

@@ -10126,25 +11041,9 @@ END-INFO-DIR-ENTRY Binary packages (from old Packaging Manual)

- The binary package has two main sections. The first part - consists of various control information files and scripts used - by dpkg when installing and removing. See . -

- -

- The second part is an archive containing the files and - directories to be installed. -

- -

- In the future binary packages may also contain other - components, such as checksums and digital signatures. The - format for the archive is described in full in the - deb(5) man page. + See and .

- Creating package files - dpkg-deb @@ -10446,55 +11345,7 @@ END-INFO-DIR-ENTRY

- dpkg-buildpackage is a script which invokes - dpkg-source, the debian/rules - targets clean, build and - binary, dpkg-genchanges and - gpg (or pgp) to build a signed - source and binary package upload. -

- -

- It is usually invoked by hand from the top level of the - built or unbuilt source directory. It may be invoked with - no arguments; useful arguments include: - - -uc, -us - -

- Do not sign the .changes file or the - source package .dsc file, respectively.

- - -psign-command - -

- Invoke sign-command instead of finding - gpg or pgp on the PATH. - sign-command must behave just like - gpg or pgp.

- - -rroot-command - -

- When root privilege is required, invoke the command - root-command. root-command - should invoke its first argument as a command, from - the PATH if necessary, and pass its - second and subsequent arguments to the command it - calls. If no root-command is supplied - then dpkg-buildpackage will take no - special action to gain root privilege, so that for - most packages it will have to be invoked as root to - start with.

- - -b, -B - -

- Two types of binary-only build and upload - see - . -

- - + See .

@@ -10568,82 +11419,10 @@ END-INFO-DIR-ENTRY

- This program is usually called from debian/rules - just before dpkg-gencontrol (see ), in the top level of the source tree. -

- -

- Its arguments are executables and shared libraries - -

- They may be specified either in the locations in the - source tree where they are created or in the locations - in the temporary build tree where they are installed - prior to binary package creation. -

- for which shared library dependencies should - be included in the binary package's control file. -

- -

- If some of the found shared libraries should only - warrant a Recommends or Suggests, or if - some warrant a Pre-Depends, this can be achieved - by using the -ddependency-field option - before those executable(s). (Each -d option - takes effect until the next -d.) -

- -

- dpkg-shlibdeps does not directly cause the - output control file to be modified. Instead by default it - adds to the debian/substvars file variable - settings like shlibs:Depends. These variable - settings must be referenced in dependency fields in the - appropriate per-binary-package sections of the source - control file. -

- -

- For example, a package that generates an essential part - which requires dependencies, and optional parts that - which only require a recommendation, would separate those - two sets of dependencies into two different fields. - At the time of writing, an example for this was the - - It can say in its debian/rules: - - dpkg-shlibdeps -dDepends program anotherprogram ... \ - -dRecommends optionalpart anotheroptionalpart - - and then in its main control file debian/control: - - ... - Depends: ${shlibs:Depends} - Recommends: ${shlibs:Recommends} - ... - -

- -

- Sources which produce several binary packages with - different shared library dependency requirements can use - the -pvarnameprefix option to override - the default shlibs: prefix (one invocation of - dpkg-shlibdeps per setting of this option). - They can thus produce several sets of dependency - variables, each of the form - varnameprefix:dependencyfield, - which can be referred to in the appropriate parts of the - binary package control files. + See .

- dpkg-distaddfile - adds a file to @@ -10690,23 +11469,10 @@ END-INFO-DIR-ENTRY

- This program is usually called by package-independent - automatic building scripts such as - dpkg-buildpackage, but it may also be called - by hand. -

- -

- It is usually called in the top level of a built source - tree, and when invoked with no arguments will print out a - straightforward .changes file based on the - information in the source package's changelog and control - file and the binary and source packages which should have - been built. + See .

- dpkg-parsechangelog - produces parsed @@ -10714,12 +11480,7 @@ END-INFO-DIR-ENTRY

- This program is used internally by - dpkg-source et al. It may also occasionally - be useful in debian/rules and elsewhere. It - parses a changelog, debian/changelog by default, - and prints a control-file format representation of the - information in it to standard output. + See .

@@ -10730,10 +11491,7 @@ END-INFO-DIR-ENTRY

- This program can be used manually, but is also invoked by - dpkg-buildpackage or debian/rules to set - environment or make variables which specify the build and host - architecture for the package building process. + See .

@@ -11422,6 +12180,11 @@ END-INFO-DIR-ENTRY there is a time, after it has been diverted but before dpkg has installed the new version, when the file does not exist.

+ +

+ Do not attempt to divert a conffile, as dpkg does not + handle it well. +