Bug#869184: dpkg: source uploads including _amd64.buildinfo cause problems
Mattia Rizzolo
mattia at debian.org
Tue Jun 18 17:35:03 BST 2019
On Tue, Jun 18, 2019 at 06:29:12PM +0200, Ansgar Burchardt wrote:
> The .buildinfo files are referred to in the .changes files; renaming
> them would require updating the .changes file. The .changes files are
> used to upload the security updates to ftp-master.
With .changes being ephemeral, it feels to me that using them to cross
the archive is not really a good solution, and whatever is used to copy
packages from one archive to another (is it dak itself?) should instead
re-create the upload and re-sign it. Also because that way it would be
perfectly able to "upload" all of the sources+binaries from sec-master
to ftp-master in a single go, which can't be bad.
> ftp-master also has the same problem when uploads end up in policy
> queues (the renaming to .buildinfo.N is only done when dak is "done"
> with the file and will never touch it again).
Also here, it feels to me that once something is accepted into a policy
queue, dak should already consider it something controlled by itself,
store checksums in the database and be done, not keep the .changes
around as a "source of truth" for additional processing, imho.
Sure, I understand that things works like that, I'm just showing a few
design points that could potentially be done differently.
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
more about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/reproducible-builds/attachments/20190618/1ea7bcab/attachment.sig>
More information about the Reproducible-builds
mailing list