Your message dated Fri, 29 May 2026 19:20:07 +0000
with message-id <[email protected]>
and subject line Bug#1136998: fixed in dgit 15.10
has caused the Debian Bug report #1136998,
regarding taint hinting mechanism apparently not working
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136998: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136998
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: dgit-infrastructure
Version: 15.7
Sean, tl;dr: would you plese review my wording below under "Maybe we
should have something like the following message".
In tag2upload job 4185 we see this
https://lists.debian.org/debian-tag2upload/2026/05/msg00762.html
The report includes
Could perhaps be forced using --deliberately-<something>. See dgit(1).
But it ought to have included the hint message
($questionable_head_msg_core et al in dgit-repos-policy-debian).
Looking at the code again, it looks like at the time of this job,
0.12-1 was in unstable. So package_questionable_head_msg found that
$pkg_exists but not $pkg_secret, and returned undef.
That's kind of correct because if had carried on it would have said
Package is in NEW and has not been accepted or rejected yet.
Which is false. Here, a previous package uploaded with dgit or t2u
was "apparently rejected", but actually AFAICT 0.12-1 was uploaded
with dput.
Maybe we should have something like the following message:
Previous git-based (dgit or tag2upload) upload into NEW was superseded by a
non-git-based upload (dput) which was subsequently ACCEPTed.
We don't know if the non-git-based upload contained a history rewerite.
followed by the rest of the usual $questionable_head_msg_core:
Unfortunately, we cannot determine automatically what should happen.
You will have to pass either --untaint-history
(aka --deliberately-include-questionable-history)
or --deliberately-not-fast-forward or to specify whether you are
keeping or discarding the previously pushed history.
The choice is important, to ensure that your git history is both
suitable for public distribution and as useful as possible. Please
see DEBIAN - TAINTED HISTORY in dgit(7) (from >=forky or trixie-backports)
or the descriptions of these options in dgit(1),
In this case, the tainted commit bd7e52b037d4 was indeed 0.12-1, which
it appears was REJECTed and replaced with 0.12-2.
There is no mechanism for automatically determining that what changed
between 0.12-1 and 0.12-2 didn't deserve a history rewrite.
(dgit can observe that a history rewrite didn't take place, and
git-debpush can see that the unwritten history is public).
So this package's history will remain tainted until someone does an
upload with --untaint-history.
Perhaps with the creation of the DFSG and New Packages Team, this
whole taint system could be revisited. I'm not sure that whether the
automatic tainting has ever saved us from depositing dangerous history
on dgit-repos, but surely if there has been any dangerous history it
will almost certainly have been published on salsa.
Ian.
--
Ian Jackson <[email protected]> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
--- End Message ---
--- Begin Message ---
Source: dgit
Source-Version: 15.10
Done: Ian Jackson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
dgit, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ian Jackson <[email protected]> (supplier of updated dgit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 29 May 2026 16:55:09 +0100
Source: dgit
Architecture: source
Version: 15.10
Distribution: unstable
Urgency: medium
Maintainer: Debian tag2upload Delegates <[email protected]>
Changed-By: Ian Jackson <[email protected]>
Closes: 1136998 1137237 1137534
Changes:
dgit (15.10) unstable; urgency=medium
.
Packaging:
* Fix typo in debian/NEWS entry for 15.0 "dtails" -> "details".
Closes: #1137237. [Teemu Hukkanen]
.
Infrastructure:
* dgit-repos-policy-debian: Emit hints for taints in precheck.
Closes: #1136998. (Will be effective when deployed on push.dgit.d.o.)
.
i18n:
* nl: Update message translations.
Closes: #1137534. [Frans Spiesschaert]
Checksums-Sha1:
4b3a244947e99b49a4875b44bb9b7446600e87e3 2522 dgit_15.10.dsc
8f7d3f2263c220a6d9730bbeda1c2f73062ad761 1052595 dgit_15.10.tar.gz
3277a97910b0e07ec4b7532e9cb7a7650693764b 1355208 dgit_15.10.git.tar.xz
618585e0df245dfb4eb3f885d2785bbbc6b9d122 17465 dgit_15.10_source.buildinfo
Checksums-Sha256:
2bc96d30fe82797c87d34cd5644ec8d9cf3ad896e1e273d7e347d467a23e9804 2522
dgit_15.10.dsc
77f7bfd6e890166d27c159130e27a269065c31e9799bc538fa350f90a507513e 1052595
dgit_15.10.tar.gz
79305667446015aecd208f8bc9d8e4352fe66de55cc408ec6b9076e1b612832c 1355208
dgit_15.10.git.tar.xz
6a94d255fdeca5fc86581567af95f0e0113785803ae5f90667311d07a2cbc6fd 17465
dgit_15.10_source.buildinfo
Files:
b7f791ec12a995f49f76d95cd5c471f4 2522 devel optional dgit_15.10.dsc
09a2895d9dc4d03f931dff5f2a9b0d48 1052595 devel optional dgit_15.10.tar.gz
b236647e3b70b49e4f717c43a91261cf 1355208 devel optional dgit_15.10.git.tar.xz
824177f663c5b53c362317375dc2781c 17465 devel optional
dgit_15.10_source.buildinfo
Git-Tag-Info: tag=79234183067fbd088a9973bea6e7c3ee345ec512
fp=41638114d132883b25a20ddd47515757d8002456
Git-Tag-Tagger: Ian Jackson <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmoZ4DQACgkQYG0ITkaD
wHkhcRAAwcccf+eKYhNaq7reiJPkOnqGfMTe7Jq+6MJDS3L/waIg1jrE+wRlxXvS
MbUB20/qO1THX5WxXzZGIsssG9sZINmm6kDIyoG2SORbDUwHD1pENcRgxyMHNHdo
2QX5ETqCNLYtrBxVjJFSAx8YjCNWfCztAwIOd4rUMqjbq7uPhw46WaztYqtMfctD
6klCksFLqdUe0MgmyQK/x7YYw/1d7A2J9g6YmxPEfDLqnPRxsApdiZLWfqGwQbgD
CbXKT8SoVUET0c2exJKfSdD2kGekbzKPMzPcDX282xcRl/ot8D46YAPFmWR5IDpc
5Zr7HFJpnPFWaxy79DkoRSnVqzhqCCzVTo8d/0P99AcgWVvodzzu+/45nx8eKRxE
yQbNwNyBUG1UiQOo3Xp67W6OVe6W58wvvFKrYZy3Osju0x9vQddtPIyK+WRWGESv
OkLl4kLEpJi8ExykDvctQivRzCFGqKxqqwNXByGSGcGMGGMRRSxFLQ+mtm2twhD+
Lf3d7wjAJA570db3aHqlYSuXq8UiX1jBzam48+KexwfqviLgSD6FHlXRayVJ8NzX
LxPxxyRvf50W7gR6M4XIt7vg4mF7LYgIRLb5i7LWdDcDv269/wzAohrRCw/C3ogI
yzN0ouSVLgvnNqpbfM0AzoJV85jxwbrJF2MrMMdsmF4zvDpZzq8=
=JsPz
-----END PGP SIGNATURE-----
pgp5kvx4gsmST.pgp
Description: PGP signature
--- End Message ---
