[Pkg-javascript-devel] Bug#1140480: llhttp: binary-any build depends on binary-all package from the same source
Adrian Bunk
bunk at debian.org
Sun Jun 21 12:48:13 BST 2026
Source: llhttp
Severity: serious
Tags: ftbfs
X-Debbugs-Cc: debian-wb-team at lists.debian.org, security at debian.org, John Paul Adrian Glaubitz <glaubitz at physik.fu-berlin.de>
debian/control of llhttp:
Source: llhttp
...
Build-Depends-Arch:
...
, libllhttp-source (>= 9.4.2+~cs12.11.9~)
...
Package: libllhttp-source
...
Architecture: all
While this kinda works in unstable, it depends on implementation
details and is rather fragile.
This cannot work when amd64+all is a combined build,
as some of our derivatives (e.g. Ubuntu) are doing.
In unstable it works due to incoming.debian.org providing the
binary-all packages for 2 days. llhttp is a package not unlikely
to have DSAs once it is in a stable release, and I doubt this setup
would work in security when a DSA updates to a new upstream version.
I would guess the original motivation was supporting ports
architectures without Node.js and LLVM, but the current
setup causes more problems than it solves.
Less bad options might be a separate source package for the
binary-any build (with Static-Built-Using), or using a different
HTTP Parser in libgit on ports architectures.
More information about the Pkg-javascript-devel
mailing list