Ubuntu
linux-source-2.6.15 package

  1. Bug #37435
  2. Comment #7

Comment 7 for bug 37435

Revision history for this message
Ian Jackson (ijackson) wrote : Re: [Bug 37435] Re: maintainer of /var/lib/dpkg/alternatives/ doesn't do updates safely

I'm afraid I agree with Colin Watson and disagree with the approach
taken in the patch. The quote from SuS isn't really helpful since SuS
doesn't ever specify under what circumstances corruption is allowed to
happen after a crash.

Changing update-alternatives to sync is only one small fragment of
this issue: very very many programs do write-to-new-file-and-rename.
If we change them all to do fsync before rename, then the whole system
will become significantly slower when it is doing many of these kind
of operations - for example, during installation and upgrades.

The correct change here is to have the filesystem not write the
metadata until the data is also committed. For example, quoting the
mount(8) manpage, in the section for ext3:

   data=journal / data=ordered / data=writeback
          Specifies the journalling mode for file data. Metadata is
          always journaled. To use modes other than ordered on the root
          file system, pass the mode to the kernel as boot parameter, e.g.
          rootflags=data=journal.

          journal
                 All data is committed into the journal prior to being
                 written into the main file system.

          ordered
                 This is the default mode. All data is forced directly
                 out to the main file system prior to its metadata being
                 committed to the journal.

          writeback
                 Data ordering is not preserved - data may be written into
                 the main file system after its metadata has been commit-
                 ted to the journal. This is rumoured to be the highest-
                 throughput option. It guarantees internal file system
                 integrity, however it can allow old data to appear in
                 files after a crash and journal recovery.

Note that the default mode for ext3 is exactly what is required, and
that update-alternatives works correctly with that. It still isn't
guaranteed, of course, after a crash, that everything is consistent,
but the update-alternatives databases will not be corrupt.

See also similar but slightly gnomic comments in the mount(8) entry
for jfs.

Ian.