Bug#1072205: prevent re-using package versions for NMUs

Johannes Schauer Marin Rodrigues josch at debian.org
Thu May 30 10:16:48 BST 2024


Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: reproducible-bugs at lists.alioth.debian.org
User: reproducible-builds at lists.alioth.debian.org
Usertags: infrastructure
User: ftp.debian.org at packages.debian.org
Usertags: dak

Hi,

the binary package bash 5.2.15-2+b3 was uploaded to the archive twice. Once to
bookworm and once to sid but with differing content. Here is a diff of their
d/changelog:

@@ -1,6 +1,6 @@
-bash (5.2.15-2+b3) bookworm; urgency=low, binary-only=yes
+bash (5.2.15-2+b3) sid; urgency=low, binary-only=yes
 
   * Binary-only non-maintainer upload for arm64; no source changes.
   * Rebuild for outdated Built-Using (glibc/2.36-9)
 
- -- arm Build Daemon (arm-ubc-03) <buildd_arm64-arm-ubc-03 at buildd.debian.org>  Fri, 29 Mar 2024 13:22:36 +0000
+ -- arm Build Daemon (arm-ubc-02) <buildd_arm64-arm-ubc-02 at buildd.debian.org>  Thu, 13 Jul 2023 09:12:53 +0000

This is not only confusing for apt (it will not be able to figure out which of
the two is installed because dpkg does not keep track of package hashes) but it
is also problematic for reproducible builds because the buildinfo file records
packages by their name/architecture/version tuple and relies on those to be
unique throughout the history of Debian.

This example with bash is especially problematic since bash is Essential:yes so
there will now be a large portion of buildinfo files where it is not possible
to figure out with which of the two differing bash packages the sources were
compiled.

snapshot.d.o also shows the issue and could probably be used to get an idea how
many packages are affected:

http://snapshot.debian.org/package/bash/5.2.15-2/#bash_5.2.15-2:2b:b3

Maybe this issue is blocked by #620356?

Thanks!

cheers, josch



More information about the Reproducible-bugs mailing list