A few small questions

Jonas Smedegaard jonas at jones.dk
Sun Aug 27 21:22:37 BST 2023 

Quoting debian.org at spam.lublink.net (2023-08-27 21:56:42)
> Hello Jonas, Hello all!
> 
> I am looking to take a more active role in the VoIPTeam and I have a lot 
> of questions, so here we go :
> 
> Work flow :
> 
> 1. How do we submit fixes? I notice that Salsa ( GitLab ) seems to be 
> the platform for tracking changes. Small fixes seem like they can easily 
> be sent into debian/latest, what about larger changes? If I update a 
> package to a newer version, what is your typical workflow? Other than 
> checking changes to dependencies, what else might change ?

Please first take small steps and leave giant leaps - like upgrades to
newer upstream releases - to me for now.

Not that I want to keep you in the dark, just that it is more complex,
and there is more than one way to do things and it can quickly get
confusing if not following same packaging style - as was the case in the
past with asterisk changing hands between me and other experienced
Debian developers each of us using different packaging style.



> 2. You mentioned not to use MR on Salsa, what is the proper way to 
> submit new versions for packaging ?

This seems a repeat question.  Please leave that to me for now.


> 3. How is Salsa handling the fact that Baresip/libre/librem all have 
> debian folders upstream?

git-buildpackage ignores debian subdir - see `man gbp-import-orig` for
some info on this, and `man dpkg-source` section "Format: 3.0 (quilt)"
for other parts.  Sorry, I don't know how to explain it more simple.
This is why I recommend to take small steps at first.


> Bug handling:
> 1. How do we deal with stale bugs? What are the criteria to close it? 
> Does the Debian release have to be out of support or is there some other 
> requirement ?

Yes, bugs stay open as long as buggy package is supported in Debian -
i.e. typically until and including oldstable.


> 2. there is a bug about fail2ban ( bug tracker #1024822 ) that reports 
> another package has broken against one of our packages. It would seem 
> that fail2ban has a configuration for our package asterisk, and that one 
> of our changes broke their package. How do we handle this? Do we send 
> them notice that the path has changed? How do I find the authoritative 
> package for fail2ban? there are dozens of repos on Salsa... How do we 
> send patches outside of the voipteam ?

Please discuss specific bugs at the bugreport: Send email to
1024822 at bugs.debian.org and you atumatically get subscribed to further
discussion for that bugreport - for more on that, see `man bts`.


> Asterisk and CVEs:
> 
> Asterisk is an important piece of software used by a very large number 
> of users, it is unthinkable/unacceptable that it not be included in 
> every Debian release( #1031046 ).

Please discuss specific bugs at their respective bugreport.


> 1. If we can raise enough interest/time commitments on the mailing list, 
> can we still fix the situation? Appeal #1031046  and return Asterisk to 
> the repository? There are literally hundreds of thousands, if not 
> millions, of users that depend on Asterisk and are depending on Debian 
> for timely security patches. Can we appeal to the security team and get 
> Asterisk re-added to Bookworm? How many people need to give what effort 
> to fix this ?

Repost that question at the bugreport, please.


> 2. According to the bug tracker, Asterisk 16 seems to still exist, but 
> there have been multiple security fixes ( 16.28 vs. 16.30 
> https://ci.debian.net/packages/a/asterisk/ ) ! How do i update this? Can 
> I just download the tar.gz from asterisk.org and post it to some git 
> branch I clone ? or is do I have to some how generate patches just for 
> security fixes.

Please do *not* import new upstream versions - maybe you do it right but
maybe you don't and cause the git repo to be messy to clean up again and
more confusing for yourself to understand what is happening.  Please
leave such larger changes to me.

> Does Debian accept version bumps that included 
> non-security fixes ?  Can we peg the Debian releases to the LTS releases 
> from Asterisk to ensure the best level of response for CVE and other 
> updates?

No, generally security update meed to be narrow and targeted.  (there
are exceptions, but do *not* assume that you happen to be in a situation
that fits those very rare exceptions).


> 1. In one of the instance of libre library, it was called libre0. Where 
> did the zero come from ?

There are source packages and binary packages.  Libraries generally
include SONAME in binary packages, to ease migrations.  More details on
that at https://www.debian.org/doc/debian-policy/ and
https://www.debian.org/doc/manuals/developers-reference/ - and various
other pieces some referenced from https://www.debian.org/devel/ and some
from https://wiki.debian.org pages.


> 2. When using gbp-pbuilder, is there a parameter to automatically 
> install any dependencies needed to build ? ( like --mk-build-deps )

Yes, there are several ways to do that.  I use cowbuilder:
https://wiki.debian.org/cowbuilder - another popular framework is
sbuild (but I don't use that so cannot help with it).


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/
 * Sponsorship: https://ko-fi.com/drjones

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/attachments/20230827/0b6d3601/attachment-0001.sig>

More information about the Pkg-voip-maintainers mailing list