Bug#1014584:

2022-07-12 Thread Chad Smith 
Hi Axel and Alberto,


Thanks for the conversation on this issue. I just wanted to add a
little context to cloud-init's versioning scheme in Ubuntu.

> That said, AFAIK -0ubuntu1~22.10.1 is not a formally documented version
anywhere, though I have seen it a few times.

For lack of a better word, I'll refer to the `~XX.YY.1` as a
"diminished version suffix".

The diminished version suffix is typically used in a project to which
all applies:
 - the project tends to release an upstream version of a package
[1.2.3-0ubuntu1]
   without any diminished version suffix
 - the project publishes the same functional upstream version to
stable Ubuntu releases

   18.04, 20.04, 22.04, 22.10 [1.2.3-0ubuntu1~XX.YY.1]


When the stable release version is equivalent, minus debian/* release
specific packaging
changes, the package version needs to be able to support an upgrade
path where the
development release version is greater than the last stable release version:

 dpkg  --compare-versions 1.2.3-0ubuntu1 gt 1.2.3-0ubuntu1~22.10.1

  So, those projects[1] tend to use the tilde `~` sort order to establish that
the stable release package version ~22.04.1 is considered less than
the devel release.

This is more common in Ubuntu packages that have an SRU exception

because they are more

likely to publish the same upstream version in multiple Ubuntu releases.


  If these projects were to adopt the dot-delimited .24.10.1
"augmented version suffix",
those projects would also need to ensure that any published version in
the Ubuntu
development release also contains that Ubuntu devel series augmented
suffix .22.10.1.


The docs we used to come up with this sort ordering using the tilde are here
- https://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-version
(debian_revision)

"""
 The lexical comparison is a comparison of ASCII values modified so
that all the letters
 sort earlier than all the non-letters and so that a tilde sorts
before anything,
 even the end of a part. For example, the following parts are in
sorted order from
 earliest to latest: ~~, ~~a, ~, the empty part, a
"""


> Alberto: what kind of upload is this?  22.10 is the current dev version,
so it's not some kind of backport.  With such context, I can guess that
this is some kind of package that your team is maintaining for multiple
ubuntu branches

Correct Axel. This is just an upload into the Ubuntu devel release
with a release-specific

diminished version syntax. From cloud-init perspective we figured we
could provide

Ubuntu release-specific ~XX.YY.1 to ensure all releases carry the same
general format suffix.

This way a community contributor wanting build their own deb from
upstream direct,
without version suffix, would be able to install the clean upstream
release and upgrade

from what is in-distro in ubuntu.


> ISTR that source-nmu-* just wasn't issued under ubuntu (i.e. with
--profile=ubuntu), did it start to be issued now?  I don't have any
recollection about binary-nmu-*
  All said the nmu lintian warnings seemed to have shown up in lintian
reports within the
last year. In cloud-init we don't correct our lintian warnings as much
as we should, but
we figured we should raise awareness on this issue to get upstream input on how
this should be addressed long term.


Thanks again for helping bring clarity here,

Chad

References

[1] Some Ubuntu packages which use ~XX.YY diminished package version schemes:
python3-distutils, ca-certificates, curtin, cloud-init,
ubuntu-advantage-tools, wslu, libstdc++6

Bug#1014584: lintian: False positive binary-nmu-debian-revision-in-source and source-nmu-has-incorrect-version-number with Ubuntu version

2022-07-11 Thread Mattia Rizzolo 
On Fri, Jul 08, 2022 at 01:34:49PM +0200, Axel Beckert wrote:
> Hi,
> 
> Alberto Contreras wrote:
> > When I invoke `lintian` over a package with a version like
> > `22.2-64-g1fcd55d6-0ubuntu1~22.10.1` it emits
> > `binary-nmu-debian-revision-in-source` and
> > `source-nmu-has-incorrect-version-number` source warnings.  This looks like

ISTR that source-nmu-* just wasn't issued under ubuntu (i.e. with
--profile=ubutnu), did it start to be issued now?  I don't have any
recollection about binary-nmu-*

If I dreamt the whole thing, then perhaps it should be done, because the
concept of NMU doesn't exist in Ubuntu, so the tag as a whole doesn't
make sense.

That said, AFAIK -0ubuntu1~22.10.1 is not a formally documented version
anywhere, though I have seen it a few times.

Alberto: what kind of upload is this?  22.10 is the current dev version,
so it's not some kind of backport.  With such context, I can guess that
this is some kind of package that your team is maintianing for multiple
ubuntu branches, in which case I'd expect you to follow the SRU
versioning, which prescribe -0ubuntu0.22.10.1 instead.
https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging


I must also add that using . instead of ~ is fraught with catches, as
documented by, for example, 
https://lintian.debian.org/tags/dfsg-version-with-period
So I'd advocate a change in that policy, which hasn't been touched for
at least a decade (when I started contributing to ubuntu packages…)

> Note to myself: There's a similar albeit not identical issue reported
> in https://bugs.debian.org/1001399.

♥ Axel :)

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
More about me:  https://mapreri.org : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature

Bug#1014584: lintian: False positive binary-nmu-debian-revision-in-source and source-nmu-has-incorrect-version-number with Ubuntu version

2022-07-08 Thread Axel Beckert 
Hi,

Alberto Contreras wrote:
> When I invoke `lintian` over a package with a version like
> `22.2-64-g1fcd55d6-0ubuntu1~22.10.1` it emits
> `binary-nmu-debian-revision-in-source` and
> `source-nmu-has-incorrect-version-number` source warnings.  This looks like
> a false positive.
[…]
> We think it could be related to the following
> detection:
> https://salsa.debian.org/lintian/lintian/-/blob/ecc04980869462c5c71f4f71e9b8a71bd5b944b5/lib/Lintian/Check/Fields/Version.pm#L87
> regex:
> https://salsa.debian.org/lintian/lintian/-/blob/ecc04980869462c5c71f4f71e9b8a71bd5b944b5/lib/Lintian/Check/Fields/Version.pm#L65

Nope, it's likely
https://salsa.debian.org/lintian/lintian/-/blob/ecc04980869462c5c71f4f71e9b8a71bd5b944b5/lib/Lintian/Check/Fields/Version.pm#L70
which needs to be updated.

Note to myself: There's a similar albeit not identical issue reported
in https://bugs.debian.org/1001399.

Regards, Axel
-- 
 ,''`.  |  Axel Beckert , https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-|  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Bug#1014584: lintian: False positive binary-nmu-debian-revision-in-source and source-nmu-has-incorrect-version-number with Ubuntu version

2022-07-08 Thread Alberto Contreras 
Package: lintian
Version: 2.115.2

When I invoke `lintian` over a package with a version like
`22.2-64-g1fcd55d6-0ubuntu1~22.10.1` it emits
`binary-nmu-debian-revision-in-source` and
`source-nmu-has-incorrect-version-number` source warnings.  This looks like
a false positive.
Here is a transcript:

$ wget -q \

https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/cloud-init/22.2-64-g1fcd55d6-0ubuntu1~22.10.1/cloud-init_22.2-64-g1fcd55d6.orig.tar.gz
\

https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/cloud-init/22.2-64-g1fcd55d6-0ubuntu1~22.10.1/cloud-init_22.2-64-g1fcd55d6-0ubuntu1~22.10.1.debian.tar.xz
\

https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/cloud-init/22.2-64-g1fcd55d6-0ubuntu1~22.10.1/cloud-init_22.2-64-g1fcd55d6-0ubuntu1~22.10.1.dsc
> /dev/null

$ lintian cloud-init_22.2-64-g1fcd55d6-0ubuntu1~22.10.1.dsc
...
W: cloud-init source: binary-nmu-debian-revision-in-source
22.2-64-g1fcd55d6-0ubuntu1~22.10.1
W: cloud-init source: source-nmu-has-incorrect-version-number
22.2-64-g1fcd55d6-0ubuntu1~22.10.1
...

We think it could be related to the following
detection:
https://salsa.debian.org/lintian/lintian/-/blob/ecc04980869462c5c71f4f71e9b8a71bd5b944b5/lib/Lintian/Check/Fields/Version.pm#L87
regex:
https://salsa.debian.org/lintian/lintian/-/blob/ecc04980869462c5c71f4f71e9b8a71bd5b944b5/lib/Lintian/Check/Fields/Version.pm#L65

The warnings happen in:
- Debian 12, lintian 2.115.2
- Debian 11, lintian 2.104.0
- Debian 10, lintian 2.15.0
- Debian 9, lintian 2.5.50.4

I have created a pastebin with a full reproducer:
https://pastebin.ubuntu.com/p/85q7kXbZTW/