Subject: spurious apostrophes in PKGNAME_REQD - prereq to pkg/30954
To: None <,,>
From: None <>
List: pkgsrc-bugs
Date: 08/09/2005 23:04:01
The following reply was made to PR pkg/30954; it has been noted by GNATS.

Subject: spurious apostrophes in PKGNAME_REQD - prereq to pkg/30954
Date: Tue,  9 Aug 2005 23:03:55 +0000 (UTC)

 >Submitter-Id:	net
 >Originator:	Chapman Flack
 >Confidential:	no
 >Synopsis:	spurious apostrophes in PKGNAME_REQD - prereq to pkg/30954
 >Severity:	serious
 >Priority:	medium
 >Category:	pkg
 >Class:		sw-bug
 >Release:	2.0.0 (irrelevant to issue)
 >Environment:	NetBSD 2.0 NetBSD 2.0 (lundestad) #11: Sat Mar  5 14:01:49 EST 2005  xxx@xxx:/usr/src/sys/arch/i386/compile/lundestad i386 (irrelevant to issue)
 The value of PKGNAME_REQD is not directly usable because it usually contains
 spurious apostrophes that have to be stripped out. However, the apostrophes were
 added (1.1300) as a workaround for a particular platform that had buggy behavior
 in 2003, and if that system is still buggy, the apostrophes will NOT be seen
 when running on that platform (because it will have consumed them as quotes,
 where on a non-buggy system they are part of the literal value). That's even
 worse: users of PKGNAME_REQD now have to treat it as a value that will USUALLY
 BUT NOT ALWAYS have spurious apostrophes, and so now any use of PKGNAME_REQD has
 to contain a conditional workaround of the problem caused by the workaround
 created for a buggy platform in 2003. Also, the change reintroduced a a risk of
 surprise from strange IFS values or globbing with unluckily-named files in the
 filesystem that had been fixed in 1.1275 (Sep 2003).
 Happily, there is only one package I know of at present that uses PKGNAME_REQD:
 lang/python/ had to have a workaround added (1.6) when the
 apostrophes appeared in the value. Therefore, fixing this issue would not
 require much effort in backing out workarounds: lang/python/ would
 need to have 1.6 backed out. However, this issue has greater impact than just
 lang/python, because it blocks pkg/30954, which impairs functionality of
   Revert the line
     ${MAKE} ${MAKEFLAGS} $$target ... PKGNAME_REQD=\'$$pkg\';
   to its form as of 1.1275:
     ${MAKE} ${MAKEFLAGS} $$target ... PKGNAME_REQD="$$pkg";
   Back out revision 1.6 of lang/python/
   Then, IF the symptom seen building mplayer on Linux in 2003 reappears--it may
   not, if an underlying bug with that platform got fixed in the meantime--I'll
   be happy to help look for the real problem, toward developing a targeted
   workaround or genuine fix. A test Makefile and some debugging suggestions
   were included in
   The test Makefile can be used to test for problems on a suspect platform
   without waiting for a failed package build.
 The recommendation is very short and simple (and there's a patch at the end).
 The reason this PR is long is that it might be counterintuitive--there was a
 problem reported, a change was made that seemed to fix it, why go back? I'll try
 to show carefully why the fix was an accident and something else should be done.
 From 1.904 to 1.1275 (Jan 2002 to Sep 2003), had this line in a
 shell command:
   ${MAKE} ${MAKEFLAGS} $$target ... PKGNAME_REQD=$$pkg;
 In 1.1275 (Sep 2003), jlam added double quotes:
   ${MAKE} ${MAKEFLAGS} $$target ... PKGNAME_REQD="$$pkg";
 in 1.1296 (Oct 2003), grant changed it to this:
   ${MAKE} ${MAKEFLAGS} $$target ... PKGNAME_REQD=\""$$pkg"\";
 in 1.1298 (12 days later), agc reverted that change.
 in 1.1300 (same day), grant tried it this way (as it is to this day):
   ${MAKE} ${MAKEFLAGS} $$target ... PKGNAME_REQD=\'$$pkg\';
 This PR is concerned with grant's changes, 1.1296 and 1.1300, both of which
 modify the package name, adding literal double quotes or literal apostrophes to
 it, respectively. grant had a reason for trying this: according to the CVS log,
 a build of mplayer on Linux had failed because a required package was named
 nas>=1.4.2, and at some point the name was treated incorrectly as a redirection,
 creating a file named =1.4.2.  grant noticed an invocation of make with
 PKGNAME_REQD=nas>=1.4.2 (no quotes), which would certainly have that effect. As
 the line above is the only line in that sets PKGNAME_REQD, it was
 quite natural and understandable for that line to be the prime suspect.  And
 apparently the change even made the symptom go away on the problem system, so it
 must have looked like an open-and-shut case.
 The trouble is, the prime suspect has an ironclad defense.
 First, notice the two $ signs in $$pkg. This is not a value substituted into the
 shell command by make, but a shell parameter being expanded by the shell itself.
 The suspect is accused of forming a shell redirection out of the result of a
 parameter expansion, but it is easy to demonstrate that the shell doesn't do
 that. It is deducible from SUSv3, and it is demonstrable in sh, ash, ksh, pdksh,
 and bash. It might /seem/ possible in SUSv3, because redirection is said to
 happen after parameter expansion--but it only happens at redirect operators,
 which were tokenized /before/ expansion; any < or > in an expansion result is
 just a character. So says the standard, and it can be confirmed in all the
 shells just listed.
 Second, what is the evidence against the suspect? The witness reports seeing an
 invocation of ${MAKE} with PKGNAME_REQD=nas>=1.4.2. But the accused line will
 produce PKGNAME_REQD="$pkg" - that's what you'd see in the output from make,
 and that's what you'd see with ps. You're seeing the shell command (and nbmake
 seems to overwrite its x=y arguments, so you don't see their values in ps
 anyway). If it was in the + line produced by sh -x (make -dx), then that was
 the way it /should/ have looked if the shell was ash or pdksh (which produce
 their + output after quote removal); it would only have been suspicious if the
 shell was bash or real ksh (which produce + output properly quoted).
 Third, observe that dependent package names with >= wildcards are pretty
 common in pkgsrc. If the line in question had really been quoted incorrectly
 to avoid shell redirection, the symptom would not have been /one/ package
 building incorrectly on /one/ platform, nearly two years after the line was
 added. It would have been hard to miss.
 So, if the ONLY line anywhere in that invokes ${MAKE} with an
 assignment for PKGNAME_REQD is accused of doing what it can't have done, on the
 basis of evidence it can't have produced, what's left?  Like the man said,
 "whatever remains, however improbable, must be the truth." There must be some
 other place ${MAKE} can be invoked with an assignment for PKGNAME_REQD. And
 there is: any subsequent recursive invocation of ${MAKE} ${MAKEFLAGS}. Once
 PKGNAME_REQD has been assigned on the command line, it goes into .MAKEOVERRIDES
 where, like MAKEFLAGS, it is supposed to be passed automatically and
 transparently to sub-makes. That means the appropriate quoting has to be done
 automatically, and current nbmake does so (with the :Q in
 Main_ExportMAKEFLAGS). My guess is on the problem platform in 2003, there was
 a make, shell, or library involved that differed somehow in the way quoting
 was handled. That was a bug that deserved to be fixed, so another cost of the
 1.1300 change in is it probably masked a problem that could
 otherwise have been tracked down.
 All four historical versions have been safe from I/O redirection
 surprises--even the first one, with no quoting at all. As explained above,
 the shell does not see redirection operators in expansion results.
 The unquoted first version would be vulnerable to (rare) surprises from
 field splitting (if IFS happened to contain a character that was in the
 package name), or pathname expansion (if the package name contained shell
 wildcards and a file existed with an unlikely name PKGNAME_REQD=foo... that
 happened to match the entire word).  Both cases were unlikely, but jlam's
 fix in 1.1275 made both impossible.
 The version with double quotes in 1.1296 should have had no effect except to
 include literal double quotes in the package name. However, agc reverted it,
 apparently in response to breakage (ironically, seems from the CVS log it caused
 the same symptom on good platforms it had been intended to correct on bad ones).
 The reason it caused breakage probably can be traced to these two lines:
   3614:	     pkg="${dep:C/:.*//}";
   3615:	     dir="${dep:C/[^:]*://:C/:.*$//}";
 where the literal doublequotes in the value cancelled the enclosing
 doublequotes, leaving the > character exposed. That would not have happened
 with this form:
   3614:	     pkg=${dep:C/:.*//:Q};
   3615:	     dir=${dep:C/[^:]*://:C/:.*$//:Q};
 so I include that change in the patch.
 The version with single quotes in 1.1300 avoided that particular accident (just
 because it added single instead of double quotes), but also--because it does
 not in fact quote the value at all--was a regression of jlam's fix in 1.1275,
 reopening the possibility of IFS and glob surprises.
 This Makefile creates some evilly-named files in the current directory,
 to show the effect of the forms that are not globbing-protected.
 all : 904 1275 1296 1300
 904 : prepare
 	pkg='abc>=1.2.*' ;\
 	sh -c 'echo "$$@"' dummy PKGNAME_REQD=$$pkg
 1275 : prepare
 	pkg='abc>=1.2.*' ;\
 	sh -c 'echo "$$@"' dummy PKGNAME_REQD="$$pkg"
 1296 : prepare
 	pkg='abc>=1.2.*' ;\
 	sh -c 'echo "$$@"' dummy PKGNAME_REQD=\""$$pkg"\"
 1300 : prepare
 	pkg='abc>=1.2.*' ;\
 	sh -c 'echo "$$@"' dummy PKGNAME_REQD=\'$$pkg\'
 prepare :
 test :
 	pkg='abc>=1.2.*' ;\
 	${MAKE} ${MAKEFLAGS} nothing PKGNAME_REQD="$$pkg"
 nothing :
 	echo ${PKGNAME_REQD:Q}
 	ps -ww -o args
 With make -dv, can confirm that PKGNAME_REQD value contains apostrophes when bin-install invoked for dependencies (can be masked by pkg/30928--fix that to make sure bin-install GETS invoked for dependencies).
 See for example of package rework required by the insertion of spurious apostrophes.
 --- /tmp/	2005-08-09 14:32:15.000000000 -0500
 +++ /tmp/	2005-08-09 16:53:46.000000000 -0500
 @@ -3611,8 +3611,8 @@
  .    else	# !DEPENDS
  .      for dep in ${_DEPENDS_AND_BUILD_DEPENDS:O}
  	${_PKG_SILENT}${_PKG_DEBUG}					\
 -	pkg="${dep:C/:.*//}";						\
 -	dir="${dep:C/[^:]*://:C/:.*$//}";				\
 +	pkg=${dep:C/:.*//:Q};					       \
 +	dir=${dep:C/[^:]*://:C/:.*$//:Q};			       \
  	found=`${PKG_BEST_EXISTS} "$$pkg" || ${TRUE}`;			\
  	if [ "X$$REBUILD_DOWNLEVEL_DEPENDS" != "X" ]; then		\
  		pkgname=`cd $$dir ; ${MAKE} ${MAKEFLAGS} show-var VARNAME=PKGNAME`; \
 @@ -3644,7 +3644,7 @@
  			${ECHO_MSG} "=> No directory for $$dir.  Skipping.."; \
  		else							\
  			cd $$dir ;					\
 -			${SETENV} _PKGSRC_DEPS=", ${PKGNAME}${_PKGSRC_DEPS}" ${MAKE} ${MAKEFLAGS} $$target PKGNAME_REQD=\'$$pkg\' MAKEFLAGS="" || exit 1; \
 +			${SETENV} _PKGSRC_DEPS=", ${PKGNAME}${_PKGSRC_DEPS}" ${MAKE} ${MAKEFLAGS} $$target PKGNAME_REQD="$$pkg" MAKEFLAGS="" || exit 1; \
  			${ECHO_MSG} "${_PKGSRC_IN}> Returning to build of ${PKGNAME}"; \
  		fi;							\
 THEN REVERT r1.6 of lang/python/
 The original problem on some platform that the apostrophes were an attempt to fix *may* reappear; if it does, I'll be happy to help find the real cause and solution. Some debug ideas, if necessary, in