Package: gnulib Severity: wishlist I don't know how to implement this, so I'll describe it pending for inspiration or someone else to come along who wants to work on this.
Let's say we are in a situation were Debian packages Build-Depends on the gnulib package as the source for gnulib related source code. I've implemented this for libntlm [1], but it could be done for any package that uses gnulib. That approach would reduce the need to audit vendored gnulib code from upstream tarballs. Most packages today (e.g., coreutils, tar, gzip inetutils) just vendor all gnulib files into to the tarball. So this wishlist is more relevant in a future reality where Build-Depends on gnulib is a more widespread solution. If there is a security bug in gnulib code, it would make sense to manually patch that the gnulib package, and then automatically rebuild all the dependent packages to get the fix released. Rather than manually patch all packages that has vendored gnulib code in them and release those. The GNULIB_REVISION or --gnulib-refdir mechanism used by gnulib does not support this way of working: the git commit to use comes from the package (e.g., libntlm) via GNULIB_REVISION in bootstrap.conf or through a git submodule that pins the gnulib commit. So patching code in the Debian gnulib package doesn't alter the code that's in the gnulib git commit tree used. Some mechanism that let packages pin the gnulib git commit to use AND then let the Debian gnulib package be able to patch the resulting gnulib code seems to be needed. Possibly we can implement rules via the new /usr/share/gnulib/gnulibvars.mk dpkg makefile snippet. Then all packages that rely on gnulib would have to include that and invoke the hook, in order to allow the gnulib Debian package to provide a patched gnulib source code, before the package is building it. /Simon [1] https://blog.josefsson.org/2024/04/13/reproducible-and-minimal-source-only-tarballs/
signature.asc
Description: PGP signature