Bug#869184: dpkg: source uploads including _amd64.buildinfo cause problems
Ivo De Decker
ivodd at debian.org
Sun Jun 16 14:50:55 BST 2019
Hi,
Last week, Salvatore pointed me at this bug and Holger mentioned it in his
talk.
On Thu, May 09, 2019 at 07:24:56PM +0200, Salvatore Bonaccorso wrote:
[...]
> We regularly get biten by this issue when contributors to security
> uploads, most recently with the bind9 upload but as well others.
Is it clear in what cases this issue happens? Guillem mentioned
"dpkg-buildpackage --changes-option=-S" in https://bugs.debian.org/869184#75
Are there any other use cases that trigger it?
As "--changes-option=-S" creates an upload that is broken from the point of
view of the archive, it might make sense not to recommend (or even allow) this
for now. Just building with "-S" instead should create a buildinfo file with
_source, which won't trigger this issue.
> Would it be possible to at least workaround this on dak's side?
> Disabling source-only uploads completely would seem to be a step back
> on that regards.
There was this commit almost 2 years ago, which cleanly rejects these uploads,
allowing the uploader to do a new upload:
https://salsa.debian.org/ftp-team/dak/commit/7d234eaa5
However it was disabled shortly after (because it was rejecting a lot of
uploads):
https://salsa.debian.org/ftp-team/dak/commit/f9eb90374
Maybe this check should be enabled again. The beginning of the bullseye cycle
might be a good time to do that.
Even if that is considered too disruptive, this check could be enabled for the
security archive only, which would probably be better than to disable
source-only uploads there.
Thanks,
Ivo
More information about the Reproducible-builds
mailing list