Debian Bug report logs - #863470
ftp.debian.org: security sync must not exclude .buildinfo

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Rene Engelhard <rene@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ftp.debian.org: security sync must not exclude .buildinfo

Date: Sat, 27 May 2017 13:01:03 +0200

Package: ftp.debian.org
Severity: important

[ I pondered to make it RC, feel free to adjust... ]

Hi,

$ grep buildinfo libreoffice_4.3.3-2+deb8u7_source+amd64+all.changes 
 bcc561d0ccdcbada26809bae7ee9d8e0d3bb23c8 15696 libreoffice_4.3.3-2+deb8u7_source.buildinfo
 0ec1d03f1d6b789c8a1d6d374185892dba2008d6b8398b3394d607c0ddef7809 15696 libreoffice_4.3.3-2+deb8u7_source.buildinfo
 8701eadc28010054360951434f9be8c1 15696 editors optional libreoffice_4.3.3-2+deb8u7_source.buildinfo

Yes, this is not really expected for a _jessie_ update but I built the source
package in stretch and fed it to sbuild without thinking of .buildinfo.

This resulted in the packages never appearing in s-p-u (or well, being REJECTED).

From my IRC logs (2017-04-30):

08:25 < jcristau> adsb: i didn't want to re-sign the dsc since it's already published on security...
08:54 < jcristau> adsb: reuploading rene's .changes including the buildinfo
08:55 < jcristau> let's see what happens
08:55 < jcristau> maybe it'll complain about .dsc replay
09:28 < jcristau> libreoffice | 1:4.3.3-2+deb8u7         | stable-new         | source, amd64
[...]
09:53 < _rene_> jcristau: did I broke something? (yes, admittedly I did debuild -S -i on my host stretch and then fed it to sbuild for jessie..)
09:53 < _rene_> s/broke/break/
09:54 < _rene_> jcristau: (and then mergechanges)
09:56 -!- Guest1495 [~pabs@pabs.user.oftc.net] has quit [Ping timeout: 480 seconds]
10:00 < jcristau> _rene_: the sync from security to ftp-master doesn't know about buildinfo, so it tried to upload without it, and queued choked
10:00 < _rene_> ah
10:01 < jcristau> so last night i removed buildinfo from .changes and re-signed, but that got rejected as different key from the .dsc; this morning i just uploaded your .changes including the buildinfo which was kept on security-master
10:02 < jcristau> we should be ok now, other than getting the other archs back from reject, i think
10:02 < _rene_> yeah, saw the reject and wondered, then saw parts of the discussion here, and wondered more ;)
10:02  * _rene_ would have assumed security did a dput which wouldn't have breaked, would it?
10:02 < _rene_> does it do manual stuff?
10:03 < jcristau> find ${queuedir}/accepted -type f -exec mv -t /srv/queued/ftpmaster '{}' +
10:03 < jcristau> and then queued uploads from /srv/queued/ftpmaster to usper
10:03 < _rene_> ugh
10:03 < jcristau> but i'm guessing buildinfo isn't in /accepted
10:04 < _rene_> ok, but that means any stretch-security thing will have that problem?
10:04 < _rene_> built on stretch with .buildinfo...
10:05 < _rene_> probably needs to be fixed before stretch gets DSAs ;)

So if I get this right any package having .buildinfo will fail at this stage.

Which will get problematic in stretch security updates since anything built
inside stretch will not only have the source but also the binary .buildinfo's.

I think  this must be (somehow) fixed before stretch releases to be able
to do security updates (well, sync them into s-p-u and not get lost and needing
manual recovery).

Regards,

Rene

Message #8 received at 863470@bugs.debian.org (full text, mbox, reply):

From: Ansgar Burchardt <ansgar@debian.org>

To: 863470@bugs.debian.org

Subject: Re: Bug#863470: ftp.debian.org: security sync must not exclude .buildinfo

Date: Wed, 07 Jun 2017 20:44:59 +0200

Rene Engelhard writes:
> So if I get this right any package having .buildinfo will fail at this stage.
>
> Which will get problematic in stretch security updates since anything built
> inside stretch will not only have the source but also the binary .buildinfo's.
>
> I think  this must be (somehow) fixed before stretch releases to be able
> to do security updates (well, sync them into s-p-u and not get lost and needing
> manual recovery).

My current plan is to make dak handle .buildinfo files like .changes in
policy queues.  That is, store them in dists/${suite} and copy them into
the Process-Policy::CopyDir directory when the upload is accepted.

Maybe only copy them into dists/${suite} when CopyDir is set so this
only happens on sec-master and not for p-u on ftp-master.

Ansgar

Message #13 received at 863470-done@bugs.debian.org (full text, mbox, reply):

From: Ansgar Burchardt <ansgar@debian.org>

To: 863470-done@bugs.debian.org

Subject: Re: Bug#863470: ftp.debian.org: security sync must not exclude .buildinfo

Date: Sat, 10 Jun 2017 16:20:56 +0200

Ansgar Burchardt writes:
> Rene Engelhard writes:
>> So if I get this right any package having .buildinfo will fail at this stage.
>>
>> Which will get problematic in stretch security updates since anything built
>> inside stretch will not only have the source but also the binary .buildinfo's.
>>
>> I think  this must be (somehow) fixed before stretch releases to be able
>> to do security updates (well, sync them into s-p-u and not get lost and needing
>> manual recovery).
>
> My current plan is to make dak handle .buildinfo files like .changes in
> policy queues.  That is, store them in dists/${suite} and copy them into
> the Process-Policy::CopyDir directory when the upload is accepted.
>
> Maybe only copy them into dists/${suite} when CopyDir is set so this
> only happens on sec-master and not for p-u on ftp-master.

This is implemented now (though the .buildinfo files get stored in the
policy queue, not below dists/).

Ansgar

Send a report that this bug log contains spam.