Bug#869184: dpkg: source uploads including _amd64.buildinfo cause problems
Vagrant Cascadian
vagrant at aikidev.net
Mon Jun 17 21:12:35 BST 2019
On 2019-06-17, Salvatore Bonaccorso wrote:
> On Sun, Jun 16, 2019 at 01:49:24PM -0400, Daniel Kahn Gillmor wrote:
>> On Sun 2019-06-16 15:50:55 +0200, Ivo De Decker wrote:
>> > As "--changes-option=-S" creates an upload that is broken from the point of
>> > view of the archive, it might make sense not to recommend (or even allow) this
>> > for now. Just building with "-S" instead should create a buildinfo file with
>> > _source, which won't trigger this issue.
>>
>> For the rest of the regular archive, --changes-option=-S is definitely
>> *not* broken. I use that regularly, and strongly prefer it. It allows
>> me to document what i managed to build, while still ensuring that the
>> distributed binaries are created by debian's buildd network, and not my
>> own machinery.
>>
>> I would be pretty sad if --changes-option=-S was explicitly deprecated
>> in any part of the debian archive.
>
> This behaviour is really causing issues for the security-archive so in
> one way or the other there needs to be a solution. Regularly we need
> to fetch the buildd changes and build binary packages, resign them and
> reupload them due to this bug.
What's unclear to me is why the workaround in DAK for the main archive,
which adds .buildinfo.N for duplicate .buildinfo filenames, can't be or
hasn't been applied for the security archive. Is there something
fundamentally different with the security archive?
It seems quite late in the freeze cycle to get this fixed in dpkg even
for buster, so it seems worth considering fixing in the archive, unless
I'm missing something?
> Prefered for us would defintively to find a solution though which does
> not mean the need to disable source only uploads for security-master,
> that IMHO would be a read drawback.
>
> That said, sorry it looks I'm repeating myself, but I wanted to
> express again that this causes real issues for the work on releasing
> security-updates via the security archive.
Really hard to see that this has dragged on for almost two years now
without resolution!
live well,
vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/reproducible-builds/attachments/20190617/b21c72c0/attachment.sig>
More information about the Reproducible-builds
mailing list