Re: Raising the severity of reproduciblity issues to "important"

On Fri, Sep 01, 2017 at 06:34:38PM +0100, Ian Campbell wrote: > On Fri, 2017-09-01 at 12:43 +0200, Helmut Grohne wrote: > > Whatever point you were trying to make around NEW, your argument is not > > very convincing. I think Holger is right here: Where the package is > > built should not matter.

Re: Raising the severity of reproduciblity issues to "important"

On Fri, 2017-09-01 at 12:43 +0200, Helmut Grohne wrote: > Whatever point you were trying to make around NEW, your argument is not > very convincing. I think Holger is right here: Where the package is > built should not matter. Presence of .buildinfo and reproducibility > does. Appollogies if this

Re: Raising the severity of reproduciblity issues to "important"

On Fri, Sep 01, 2017 at 11:07:17AM +0100, Simon McVittie wrote: > The problem with maintainer-built binaries around NEW is that if they > wait in the NEW queue for (let's say) 1 month, then by the time they > reach the archive, they were built with a 1 month old toolchain and > build-dependencies,

Re: normal bugs (Re: Raising the severity of reproduciblity issues to "important")

On Fri, Sep 01, 2017 at 09:43:54AM +, Holger Levsen wrote: > On Fri, Sep 01, 2017 at 09:34:53AM +0300, Adrian Bunk wrote: > > On Sun, Aug 23, 2015 at 12:48:50PM +0200, Chris Lamb wrote: > > >... > > > However, based on an informal survey at DebConf (and to reflect the > > > feeling towards

Re: Raising the severity of reproduciblity issues to "important"

On Fri, 01 Sep 2017 at 09:40:25 +, Holger Levsen wrote: > On Fri, Sep 01, 2017 at 09:26:44AM +0300, Adrian Bunk wrote: > > AFAIK the only place where we currently still need binary packages that > > have been built on a maintainer machine is for [...] > > the fun part is that once a package

normal bugs (Re: Raising the severity of reproduciblity issues to "important")

On Fri, Sep 01, 2017 at 09:34:53AM +0300, Adrian Bunk wrote: > On Sun, Aug 23, 2015 at 12:48:50PM +0200, Chris Lamb wrote: > >... > > However, based on an informal survey at DebConf (and to reflect the > > feeling towards software reproducibility in the free software community > > in general)

Re: Raising the severity of reproduciblity issues to "important"

On Fri, Sep 01, 2017 at 09:26:44AM +0300, Adrian Bunk wrote: > AFAIK the only place where we currently still need binary packages that > have been built on a maintainer machine is for [...] the fun part is that once a package builds bit by bit identically, it doesnt matter anymore where it's

Re: Raising the severity of reproduciblity issues to "important"

Hi! On Fri, 2017-09-01 at 09:26:44 +0300, Adrian Bunk wrote: > AFAIK the only place where we currently still need binary packages that > have been built on a maintainer machine is for NEW, and after someone > has implemented a solution for that there is no blocker left for > allowing only

Re: Raising the severity of reproduciblity issues to "important"

On Sun, Aug 23, 2015 at 12:48:50PM +0200, Chris Lamb wrote: >... > However, based on an informal survey at DebConf (and to reflect the > feeling towards software reproducibility in the free software community > in general) unless there are strong objections I intend to raise the > severity of

Re: Raising the severity of reproduciblity issues to "important"

On Mon, Aug 24, 2015 at 11:41:21PM +0200, Vincent Bernat wrote: > ❦ 24 août 2015 22:30 +0100, Colin Tuckley  : > > >> We have pushed other archive-wide goals that were not shared by > >> all upstreams. For example, we have enabled hardening build flags > >> on almost all

Re: Raising the severity of reproduciblity issues to important

On Mon, Aug 24, 2015 at 10:30:45PM +0100, Colin Tuckley wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 24/08/15 22:02, Vincent Bernat wrote: We have pushed other archive-wide goals that were not shared by all upstreams. For example, we have enabled hardening build flags on

Re: Raising the severity of reproduciblity issues to important

Hi. Chris Lamb la...@debian.org writes: Hi -devel, The reproducible-builds team are currently contributing patches with wishlist severity. This is because it is not currently possible to build reproducible packages within sid itself - we maintain a separate repository whilst our changes

Re: Raising the severity of reproduciblity issues to important

On Sun, Aug 23, 2015 at 12:48:50PM +0200, Chris Lamb wrote: The reproducible-builds team are currently contributing patches with wishlist severity. This is because it is not currently possible to build reproducible packages within sid itself - we maintain a separate repository whilst our

Re: Raising the severity of reproduciblity issues to important

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 24/08/15 20:24, Santiago Vila wrote: Well, I object strongly. Same here, in my view reproducibility is a 'nice to have' it should *never* be forced on a package. We are in the business of packaging upstream software for distribution. We

Re: Raising the severity of reproduciblity issues to important

❦ 24 août 2015 21:12 +0100, Colin Tuckley col...@debian.org : Well, I object strongly. Same here, in my view reproducibility is a 'nice to have' it should *never* be forced on a package. We are in the business of packaging upstream software for distribution. We should not make arbitrary

Re: Raising the severity of reproduciblity issues to important

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 24/08/15 22:02, Vincent Bernat wrote: We have pushed other archive-wide goals that were not shared by all upstreams. For example, we have enabled hardening build flags on almost all packages and for packages that don't obey to the

Re: Raising the severity of reproduciblity issues to important

On 2015-08-24 21:24, Santiago Vila wrote: [...] Hi Santiago, Making a great percentage of packages in the archive to be suddenly buggy is unacceptable. I can see where you are coming from. I have to admit that I am personally not too concerned with the severity change. Given it is not

Re: Raising the severity of reproduciblity issues to important

Niels Thykier ni...@thykier.net writes: On 2015-08-24 21:24, Santiago Vila wrote: We all want Debian to build reproducibly, but goals are achieved by submitting bugs, changing packages and making uploads, not by rising severities. I agree in general that people should make an effort to

Re: Raising the severity of reproduciblity issues to important

On Sun, Aug 23, 2015 at 12:48:50PM +0200, Chris Lamb wrote: Hi -devel, The reproducible-builds team are currently contributing patches with wishlist severity. This is because it is not currently possible to build reproducible packages within sid itself - we maintain a separate repository

Re: Raising the severity of reproduciblity issues to important

On 08/23/2015 12:48 PM, Chris Lamb wrote: Hi -devel, The reproducible-builds team are currently contributing patches with wishlist severity. This is because it is not currently possible to build reproducible packages within sid itself - we maintain a separate repository whilst our

Re: Raising the severity of reproduciblity issues to important

On 24/08/15 21:42, Niels Thykier wrote: Are you aware that 37 out of 40 of your packages can currently be build reproducible in unstable using the patched toolchain (e.g. dpkg and debhelper). This (I presume) is without you having done anything to make them explicitly reproducible.

Re: Raising the severity of reproduciblity issues to important

❦ 24 août 2015 22:30 +0100, Colin Tuckley col...@debian.org : We have pushed other archive-wide goals that were not shared by all upstreams. For example, we have enabled hardening build flags on almost all packages and for packages that don't obey to the appropriate flags, bugs with severity

Re: Raising the severity of reproduciblity issues to important

Hi, On 2015-08-24 22:12, Colin Tuckley wrote: [...] Same here, in my view reproducibility is a 'nice to have' it should *never* be forced on a package. We are in the business of packaging upstream software for distribution. We should not make arbitrary changes to upstream software, such

Re: Raising the severity of reproduciblity issues to important

Hi, On 2015-08-24 22:06, Matthias Klose wrote: [...] So what about identifying categories which should be fixed in any case, and maybe which should have special rules for accelerated NMUs and such? Personally, I find that proposal quite interesting. Categories would include: - running

Re: Raising the severity of reproduciblity issues to important

Santiago Vila wrote... Making a great percentage of packages in the archive to be suddenly buggy is unacceptable. Nobody would consider making failing r12y serious at the current state where 13 to 17 percent of the packages fail, depending on how you read the numbers. We all want Debian to

Re: Raising the severity of reproduciblity issues to important

Quoting Holger: This is a lie (pointing to a graph that was being shown on the screen). The current figures we are handling right now refer to a modified build environment (i.e. sid + the special sources.list line from alioth). I do not intend to change anything until these changes have

Re: Raising the severity of reproduciblity issues to important

On Mon, Aug 24, 2015 at 10:25:01PM +0200, Niels Thykier wrote: In your opinion, how much of the archive should be fixed before one can start bumping the severity? I don't know, but I think we should have better statistics before deciding about that. Quoting Holger: This is a lie (pointing to a

Re: Raising the severity of reproduciblity issues to important

On Mon, Aug 24, 2015 at 10:25:01PM +0200, Niels Thykier wrote: It is really so much difficult to make this in stages? For example: Stage 1. Make it a policy *recommendation*, with normal severity. Stage 2. Make it a policy should, with important severity. Stage 3. Make it a release

Raising the severity of reproduciblity issues to important

Hi -devel, The reproducible-builds team are currently contributing patches with wishlist severity. This is because it is not currently possible to build reproducible packages within sid itself - we maintain a separate repository whilst our changes to the toolchain are pending review and