Package: ftp.debian.org
Severity: important
[ I pondered to make it RC, feel free to adjust... ]
Hi,
$ grep buildinfo libreoffice_4.3.3-2+deb8u7_source+amd64+all.changes
bcc561d0ccdcbada26809bae7ee9d8e0d3bb23c8 15696
libreoffice_4.3.3-2+deb8u7_source.buildinfo
0ec1d03f1d6b789c8a1d6d374185892dba2008d6b8398b3394d607c0ddef7809 15696
libreoffice_4.3.3-2+deb8u7_source.buildinfo
8701eadc28010054360951434f9be8c1 15696 editors optional
libreoffice_4.3.3-2+deb8u7_source.buildinfo
Yes, this is not really expected for a _jessie_ update but I built the source
package in stretch and fed it to sbuild without thinking of .buildinfo.
This resulted in the packages never appearing in s-p-u (or well, being
REJECTED).
>From my IRC logs (2017-04-30):
08:25 < jcristau> adsb: i didn't want to re-sign the dsc since it's already
published on security...
08:54 < jcristau> adsb: reuploading rene's .changes including the buildinfo
08:55 < jcristau> let's see what happens
08:55 < jcristau> maybe it'll complain about .dsc replay
09:28 < jcristau> libreoffice | 1:4.3.3-2+deb8u7 | stable-new |
source, amd64
[...]
09:53 < _rene_> jcristau: did I broke something? (yes, admittedly I did debuild
-S -i on my host stretch and then fed it to sbuild for jessie..)
09:53 < _rene_> s/broke/break/
09:54 < _rene_> jcristau: (and then mergechanges)
09:56 -!- Guest1495 [~p...@pabs.user.oftc.net] has quit [Ping timeout: 480
seconds]
10:00 < jcristau> _rene_: the sync from security to ftp-master doesn't know
about buildinfo, so it tried to upload without it, and queued choked
10:00 < _rene_> ah
10:01 < jcristau> so last night i removed buildinfo from .changes and
re-signed, but that got rejected as different key from the .dsc; this morning i
just uploaded your .changes including the buildinfo which was kept on
security-master
10:02 < jcristau> we should be ok now, other than getting the other archs back
from reject, i think
10:02 < _rene_> yeah, saw the reject and wondered, then saw parts of the
discussion here, and wondered more ;)
10:02 * _rene_ would have assumed security did a dput which wouldn't have
breaked, would it?
10:02 < _rene_> does it do manual stuff?
10:03 < jcristau> find ${queuedir}/accepted -type f -exec mv -t
/srv/queued/ftpmaster '{}' +
10:03 < jcristau> and then queued uploads from /srv/queued/ftpmaster to usper
10:03 < _rene_> ugh
10:03 < jcristau> but i'm guessing buildinfo isn't in /accepted
10:04 < _rene_> ok, but that means any stretch-security thing will have that
problem?
10:04 < _rene_> built on stretch with .buildinfo...
10:05 < _rene_> probably needs to be fixed before stretch gets DSAs ;)
So if I get this right any package having .buildinfo will fail at this stage.
Which will get problematic in stretch security updates since anything built
inside stretch will not only have the source but also the binary .buildinfo's.
I think this must be (somehow) fixed before stretch releases to be able
to do security updates (well, sync them into s-p-u and not get lost and needing
manual recovery).
Regards,
Rene
