none
Debian/Ubuntu packaging is badly hosed and *dangerous*

    Question

  • Dear Microsoft Team,

    your Debian/Ubuntu packaging needs severe improvement. I quote from the postinst script privided by microsoft-r-open-mro-3.5.0

    #!/bin/bash
    
    #TODO: Avoid hard code VERSION number in all scripts
    VERSION=`echo $DPKG_MAINTSCRIPT_PACKAGE | sed 's/[[:alpha:]|(|[:space:]]//g' | sed 's/\-*//' | awk  -F. '{print $1 "." $2 "." $3}'`
    INSTALL_PREFIX="/opt/microsoft/ropen/${VERSION}"
    
    echo $VERSION
    
    ln -s "${INSTALL_PREFIX}/lib64/R/bin/R" /usr/bin/R
    ln -s "${INSTALL_PREFIX}/lib64/R/bin/Rscript" /usr/bin/Rscript
    
    rm /bin/sh
    ln -s /bin/bash /bin/sh
    

    This has several bugs, some of which are severe:

    • The link command will not succeed if another R is installed. You should/need to use dpkg-divert to divert R and Rscript to your binaries instead of hard-coded trying to create a link.
    • The last command is an *absolute* no-go!!! Again, /bin/sh is already normally diverted either to dash or bash, you need to interact with that. There should be no need to force /bin/sh to be /bin/bash, please use a correct #! header line in your scripts.

    Even worse, in the prerm script you forcibly remove /usr/bin/R and Rscript *without* checking whether it is the version *you* have installed.

    This is very dangerous packaging.

    Monday, June 11, 2018 8:57 AM

Answers

  • Hi Norbert – Thanks again for pointing out the issues. We just released an update for MRO 3.5.0, with better behaving scripts. Specifically, we have removed the code which relinked /bin/sh to /bin/bash, and we are leveraging the appropriate technologies (dpkg-divert for Debian and update-alternatives for RPM) to create and restore the symlinks per your recommendation. We will have a discussion with the Debian maintainers of R on how to do an alternative setup as a future change. Finally, for the next release, MRO 3.5.1, we will make the MRO setup code available as open source, for everybody to inspect and give feedback on. The update is available for download on https://mran.microsoft.com/download .

     

    Thanks,

    Rene


    Wednesday, June 13, 2018 9:31 AM

All replies

  • Norbert's analysis is correct, there are some serious no-no's going on here. Please poke me internally (alias joshield) if y'all need some help with Debian packaging best practice.
    Monday, June 11, 2018 7:23 PM
  • Hi Norbert,

    Thank you for bringing this to our attention!

    You are making some very valid points, and we will be making updates asap.

    Thanks,

    Rene

    Monday, June 11, 2018 8:23 PM
  • Thanks for looking into it. The correct way would be to call dpkg-divert in the preinstall script and ship the link directly in the package, and of course undo the dpkg-divert in the postrm script. Other options would be to discuss with the Debian maintainers of R about an alternative setup (update-alternatives).

    Furthermore, I heard that mkl will enter into Debian at some point, then using that one is probably the better option.

    Thanks

    Norbert

    Monday, June 11, 2018 11:51 PM
  • Hi Norbert – Thanks again for pointing out the issues. We just released an update for MRO 3.5.0, with better behaving scripts. Specifically, we have removed the code which relinked /bin/sh to /bin/bash, and we are leveraging the appropriate technologies (dpkg-divert for Debian and update-alternatives for RPM) to create and restore the symlinks per your recommendation. We will have a discussion with the Debian maintainers of R on how to do an alternative setup as a future change. Finally, for the next release, MRO 3.5.1, we will make the MRO setup code available as open source, for everybody to inspect and give feedback on. The update is available for download on https://mran.microsoft.com/download .

     

    Thanks,

    Rene


    Wednesday, June 13, 2018 9:31 AM
  • Hi Rene,

    thanks a lot, I can confirm that the fixed packages behave properly, well done.

    Wednesday, June 13, 2018 10:14 AM