A few small questions

debian.org at spam.lublink.net debian.org at spam.lublink.net
Sun Aug 27 22:31:35 BST 2023 

On 2023-08-27 16:22, Jonas Smedegaard wrote:
> Quoting debian.org at spam.lublink.net (2023-08-27 21:56:42)
>> Hello Jonas, Hello all!
>> 
>> I am looking to take a more active role in the VoIPTeam and I have a 
>> lot
>> of questions, so here we go :
>> 
>> Work flow :
>> 
>> 1. How do we submit fixes? I notice that Salsa ( GitLab ) seems to be
>> the platform for tracking changes. Small fixes seem like they can 
>> easily
>> be sent into debian/latest, what about larger changes? If I update a
>> package to a newer version, what is your typical workflow? Other than
>> checking changes to dependencies, what else might change ?
> 
> Please first take small steps and leave giant leaps - like upgrades to
> newer upstream releases - to me for now.
> 
> Not that I want to keep you in the dark, just that it is more complex,
> and there is more than one way to do things and it can quickly get
> confusing if not following same packaging style - as was the case in 
> the
> past with asterisk changing hands between me and other experienced
> Debian developers each of us using different packaging style.
> 
> 
> 
>> 2. You mentioned not to use MR on Salsa, what is the proper way to
>> submit new versions for packaging ?
> 
> This seems a repeat question.  Please leave that to me for now.
> 
> 
>> 3. How is Salsa handling the fact that Baresip/libre/librem all have
>> debian folders upstream?
> 
> git-buildpackage ignores debian subdir - see `man gbp-import-orig` for
> some info on this, and `man dpkg-source` section "Format: 3.0 (quilt)"
> for other parts.  Sorry, I don't know how to explain it more simple.
> This is why I recommend to take small steps at first.
> 
> 
>> Bug handling:
>> 1. How do we deal with stale bugs? What are the criteria to close it?
>> Does the Debian release have to be out of support or is there some 
>> other
>> requirement ?
> 
> Yes, bugs stay open as long as buggy package is supported in Debian -
> i.e. typically until and including oldstable.
> 
> 
>> 2. there is a bug about fail2ban ( bug tracker #1024822 ) that reports
>> another package has broken against one of our packages. It would seem
>> that fail2ban has a configuration for our package asterisk, and that 
>> one
>> of our changes broke their package. How do we handle this? Do we send
>> them notice that the path has changed? How do I find the authoritative
>> package for fail2ban? there are dozens of repos on Salsa... How do we
>> send patches outside of the voipteam ?
> 
> Please discuss specific bugs at the bugreport: Send email to
> 1024822 at bugs.debian.org and you atumatically get subscribed to further
> discussion for that bugreport - for more on that, see `man bts`.
> 
> 
>> Asterisk and CVEs:
>> 
>> Asterisk is an important piece of software used by a very large number
>> of users, it is unthinkable/unacceptable that it not be included in
>> every Debian release( #1031046 ).
> 
> Please discuss specific bugs at their respective bugreport.
> 
> 
>> 1. If we can raise enough interest/time commitments on the mailing 
>> list,
>> can we still fix the situation? Appeal #1031046  and return Asterisk 
>> to
>> the repository? There are literally hundreds of thousands, if not
>> millions, of users that depend on Asterisk and are depending on Debian
>> for timely security patches. Can we appeal to the security team and 
>> get
>> Asterisk re-added to Bookworm? How many people need to give what 
>> effort
>> to fix this ?
> 
> Repost that question at the bugreport, please.
> 
> 
>> 2. According to the bug tracker, Asterisk 16 seems to still exist, but
>> there have been multiple security fixes ( 16.28 vs. 16.30
>> https://ci.debian.net/packages/a/asterisk/ ) ! How do i update this? 
>> Can
>> I just download the tar.gz from asterisk.org and post it to some git
>> branch I clone ? or is do I have to some how generate patches just for
>> security fixes.
> 
> Please do *not* import new upstream versions - maybe you do it right 
> but
> maybe you don't and cause the git repo to be messy to clean up again 
> and
> more confusing for yourself to understand what is happening.  Please
> leave such larger changes to me.
> 
>> Does Debian accept version bumps that included
>> non-security fixes ?  Can we peg the Debian releases to the LTS 
>> releases
>> from Asterisk to ensure the best level of response for CVE and other
>> updates?
> 
> No, generally security update meed to be narrow and targeted.  (there
> are exceptions, but do *not* assume that you happen to be in a 
> situation
> that fits those very rare exceptions).
> 
> 
>> 1. In one of the instance of libre library, it was called libre0. 
>> Where
>> did the zero come from ?
> 
> There are source packages and binary packages.  Libraries generally
> include SONAME in binary packages, to ease migrations.  More details on
> that at https://www.debian.org/doc/debian-policy/ and
> https://www.debian.org/doc/manuals/developers-reference/ - and various
> other pieces some referenced from https://www.debian.org/devel/ and 
> some
> from https://wiki.debian.org pages.
> 
> 
>> 2. When using gbp-pbuilder, is there a parameter to automatically
>> install any dependencies needed to build ? ( like --mk-build-deps )
> 
> Yes, there are several ways to do that.  I use cowbuilder:
> https://wiki.debian.org/cowbuilder - another popular framework is
> sbuild (but I don't use that so cannot help with it).
> 
> 
>  - Jonas


I guess my next question is, and it might be the same for others looking 
to contribute, what next smalls steps can we take ?

David

More information about the Pkg-voip-maintainers mailing list