Bug#869184: dpkg: source uploads including _amd64.buildinfo cause problems
Guillem Jover
guillem at debian.org
Fri Nov 9 10:55:38 GMT 2018
Hi!
On Fri, 2018-11-09 at 11:48:27 +0100, Guillem Jover wrote:
> On Thu, 2018-11-08 at 20:28:57 +0000, Holger Levsen wrote:
> > On Thu, Nov 08, 2018 at 09:24:01PM +0100, Salvatore Bonaccorso wrote:
> > > We were again biten by this issue for some security-updates (most
> > > recent one nginx). Do any involved parties know, was there any
> > > progress in adressing this problem?
>
> Sorry, had your earlier mail from July marked for reply, but it seems
> I missed that. :/
>
> > in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869184#40 Guillem
> > wrote:
> >
> > Perhaps the simplest and more correct might be to name it using
> > something like source+amd64 as the arch name, which seems like a
> > dubious arch, but at least is accurate and might be trivial to
> > implement, taking care of not ending up with such fake arch in
> > unexpected places…
> >
> > and I cannot find anything wrong with this simple solution and have
> > already asked Guillem in August to implement this ;)
>
> So, as I mentioned at the time this would require modifing the internal
> filtering of the debian/files entries to cover this case in several of
> the tools. It also modifies the documented filename pattern in
> deb-buildinfo(5). This is all solvable and I should probably just do it.
> But this breaks previous public filename "interfaces", seems rather
> intrusive, and entirely inappropriate for a stable update, which means
> it would not fix your immediate problems anyway, only starting with
> Buster. :/
Actually, I guess the other option that might be an option for stable is
to make dpkg-buildpackage generate the buildinfo file itself, and on
source-only uploads force the name to be _source.buildinfo regardless
of the options passed down to dpkg-genbuildinfo (even if the contents
will end up not matching the name).
This would seem rather less intrusive, as that only changes the
behavior in a "corner-case" (even though documented and recommended
one), when using «dpkg-buildpackage --changes-option=-S». And while it
could be considered to produce confusing filenames, it sticks to the
current pattern. It would also fix the other bug where running
dpkg-genbuildinfo leaves debian/files around, even on source only
builds.
So, I might go with that instead.
Thanks,
Guillem
More information about the Reproducible-builds
mailing list