#872587 debian-policy: please document "Important: yes"

#872587#5
Date:
2017-08-18 20:52:58 UTC
From:
To:
Hi!
A couple of packages with "Important: yes" has just hit unstable (mount,
fdisk) -- or rather, _would_ hit unstable had dpkg-gencontrol not silently
ignored this field.

The problem is, this field is currently undocumented and unofficial.

Support in frontends in Stretch looks good enough, thus I believe there's no
reason to avoid using this field in Buster.  I've tested apt, dselect, aptitude,
synaptic, gnome-packagekit, apper -- only nit is messages talking about
"essential", but that's okayish.  There is a frontend that doesn't know this
field, cupt, but with popcon vote 23, the cross-section of people who 1. try
to remove an Important:yes package, 2. use cupt, 3. use Stretch's version
of tools to remove a Buster's package, is expected to be nil.

On the other hand, dpkg does not know the field.  It won't say a word upon
removal, and dpkg-gencontrol silently removes it.  Currently to build such a
package you need a hack like:

override_dh_gencontrol:
        dh_gencontrol
        sed -e '2i Important: yes' -i debian/${PACKAGE}/DEBIAN/control


Thus, some Policy guidance would be nice.  Is it legal to use "Important:
yes" at this moment?


As far as I know, the intended behaviour is to make a package:
* easy to not install
* hard to remove
Ie, it's meant to protect stuff like "init" or "mount" from being removed,
while not wasting space on a buildd chroot or a container.
Current state of the these packages is:
* mount: Important:yes, Depends: path from both systemd and
  sysvinit-core→initscripts
* init: no protection at all
Thus obviously "init" wants this to be set.

#872587#10
Date:
2017-08-18 21:28:22 UTC
From:
To:
Hello Adam,

Thank you for filing this bug.

It wouldn't be up to policy whether it's legal.  We document fields in
policy once they are already in use in the archive.

Do you have any idea how long we can expect to wait until dpkg supports
the field?  I would suggest that we wait until dpkg has defined
behaviour for the field, as it will make documenting it much easier.  It
will also allow us to be more confident that there is no serious
disagreement about the purpose of the field.

I couldn't find a bug against dpkg, but if there is one, it should
probably be set to block this bug.

#872587#15
Date:
2017-08-18 21:36:45 UTC
From:
To:
Control: block 872587 by 872589

src:util-linux just added it on two of its binaries (mount and fdisk), thus
the field can be said to be in use.

Right, let's have dpkg maintainers tell us what they think.

872587 < 872589, I filed the Policy one first.  Block added.


Meow!

#872587#22
Date:
2017-08-19 07:01:08 UTC
From:
To:
If he just want to use the field, no change to dpkg is necessary.  dpkg
supports user defined fields since at least 15 years, when d-i started
to rely on them.  See deb-src-control(5) for information.

Bastian

#872587#27
Date:
2023-09-12 04:27:09 UTC
From:
To:
Adam Borowski <kilobyte@angband.pl> writes:
instead.  Retitling the bug accordingly.

The documentation from deb-control(5) is:

Protected: yes|no
    This field is usually only needed when the answer is yes.  It denotes
    a package that is required mostly for proper booting of the system or
    used for custom system-local meta-packages.  dpkg(1) or any other
    installation tool will not allow a Protected package to be removed (at
    least not without using one of the force options).

It's probably also worth noting the parenthetical comment in the
documentation of Essential:

Essential: yes|no
    This field is usually only needed when the answer is yes.  It denotes
    a package that is required for the packaging system, for proper
    operation of the system in general or during boot (although the latter
    should be converted to Protected field instead).  dpkg(1) or any other
    installation tool will not allow an Essential package to be removed
    (at least not without using one of the force options).

(And while we're there, we don't document the Build-Essential field
either.)

#872587#34
Date:
2024-03-27 11:29:50 UTC
From:
To:
I'm still not sure that I inderstand the difference between those two.
They seem to accomplish the same thing. Did I miss something?

It should also be noted that, as of version 2.117.0, Lintian still
gives a warning whenever a binary target has the Protected field set.

Martin-Éric

#872587#39
Date:
2024-03-27 11:56:05 UTC
From:
To:
Per my understanding which may be flawed:

"Essential: yes" are always installed. Tools and dependencies assume they
are installed.  Bootstrapping tools install them implicitly. Package
management tools refuse to remove them.

"Protected: yes" are nothing like that. Package management tools refuse to
remove them and that's all.

#872587#44
Date:
2024-03-27 12:43:40 UTC
From:
To:
ke 27. maalisk. 2024 klo 14.00 Andrey Rakhmatullin (wrar@debian.org) kirjoitti:
deb-control(5) needs a much better phrasing. Something like:

Protected: yes|no
This field prevents a package from getting auto-removed by dpkg
without using one of the force options. It is intended for custom
local packages not meant for upload to the Debian repository.

Essential: yes|no
This field prevents a package from getting auto-removed by dpkg
without using one of the force options. It also makes debootstrap and
other similar tools force-install them. Maintainers must request
approval from the debian-devel mailing list before uploading any
package with the Essential field set to the Debian repository. See
Essential packages (Section 3.8) in the Debian Policy Manual for
details.

Martin-Éric

#872587#49
Date:
2024-03-27 13:31:33 UTC
From:
To:
Another way to look at this is that if a Protected package is already
installed, then package management behaves as though it's Essential,
but if a Protected package is merely available from a configured apt
source, then nothing special happens.

True so far...
for non-local packages that are required for system boot, or for package
management. The design principle is that if it would be hard to recover
from removing a package once it has been installed, then it's Protected.

An example of Protected: yes on boot packages is that the init metapackage
is Protected: yes, to make sure you don't accidentally remove the init
system and make the system unbootable (which is hard to recover from
because before you can install a new init system, you need to be able to
boot). It might also make sense for bootloaders like grub to be Protected:
yes, although currently they are not.

An example of Protected: yes on package management packages is that it
would be appropriate to put Protected: yes on apt (although in fact apt
is hard-coded to behave that way even without Protected: yes), to avoid
accidentally getting into a situation where you have removed apt
(which is hard to recover from because now there's no package manager,
and no easy-to-validate trust chain to check that a manually-downloaded
apt_*.deb is authentic).

    smcv