Re: maintainer built binary package in stable release, still (Re: Bug#1054401: bookworm-pu: package nagios-plugins-contrib/42.20230308+deb12u1)
- To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Cc: Paul Gevers <elbrus@debian.org>, Adrian Bunk <bunk@debian.org>, Holger Levsen <holger@layer-acht.org>, debian-release@lists.debian.org, Reproducible Builds discussion list <reproducible-builds@lists.alioth.debian.org>, Debian Security Team <team@security.debian.org>
- Subject: Re: maintainer built binary package in stable release, still (Re: Bug#1054401: bookworm-pu: package nagios-plugins-contrib/42.20230308+deb12u1)
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Thu, 7 Dec 2023 21:38:47 +0100
- Message-id: <[🔎] ZXItVzEz5lhYtKAN@eldamar.lan>
- Mail-followup-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, Paul Gevers <elbrus@debian.org>, Adrian Bunk <bunk@debian.org>, Holger Levsen <holger@layer-acht.org>, debian-release@lists.debian.org, Reproducible Builds discussion list <reproducible-builds@lists.alioth.debian.org>, Debian Security Team <team@security.debian.org>
- In-reply-to: <[🔎] 7e2d26d2ff2019b6ef84358b2f5e0a75d503adff.camel@adam-barratt.org.uk>
- References: <40513fa6-9727-33a4-3f04-1aa4fa397eac@cyconet.org> <[🔎] 76e56cdec810ecc01df8942ebb450664bae5e9d5.camel@adam-barratt.org.uk> <40513fa6-9727-33a4-3f04-1aa4fa397eac@cyconet.org> <[🔎] ZWzyqB8xGqIAnvsw@localhost> <[🔎] ZW4TkCfakhcRuM5g@layer-acht.org> <[🔎] ZXGU5ncwkycPlCxs@localhost> <[🔎] 0b8ddf92-21b2-47ed-a088-9c8a932ce64b@debian.org> <[🔎] ZXGqixe8cmjFRyow@localhost> <[🔎] 64cbff16-c67c-4b5f-a77a-44ad605afa73@debian.org> <[🔎] 7e2d26d2ff2019b6ef84358b2f5e0a75d503adff.camel@adam-barratt.org.uk>
Hi Adam,
On Thu, Dec 07, 2023 at 01:56:34PM +0000, Adam D. Barratt wrote:
> On Thu, 2023-12-07 at 12:40 +0100, Paul Gevers wrote:
> > Hi,
> >
> > On 07-12-2023 12:20, Adrian Bunk wrote:
> > > On Thu, Dec 07, 2023 at 11:18:42AM +0100, Paul Gevers wrote:
> > > > I hope that in several hours,
> > > > https://release.debian.org/britney/excuses_s-p-u.html will have
> > > > the answer.
> > >
> > > it should find packages like jtreg6 that are scheduled for the next
> > > point release, but it won't find packages like gmp that went into
> > > bullseye 2 years ago.
> >
> > Ack. Indeed it spots:
> > cacti, fastdds, freetype, grub-efi-amd64-signed, grub-efi-arm64-
> > signed,
> > grub-efi-ia32-signed, jtreg6, llvm-toolchain-16, node-babel7,
> > node-browserify-sign and slurm-wlm. A bunch of them have arch:all
> > binaries.
>
> Heh at cacti being in the list. :-)
>
> fwiw the grub-efi-*-signed packages were built on buildds, in the
> security archive. They got rejected when they were copied over to ftp-
> master, due to the grub2 versus grub-efi-* naming issue that's been
> mentioned on debian-release before. In order to get them into stable-
> new, I resigned the changes files and re-uploaded them. The packages
> themselves are identical to those released via security.d.o (they're
> the same files).
>
> Similarly, the two fastdds uploads were rejected between the security
> archive and ftp-master as the buildd keys had expired in the meantime,
> so I simply re-signed and re-uploaded them.
>
> Relatedly, if a binary upload was performed to the security archive
> then any binNMUs should likely happen there and then be synced across
> to stable, otherwise we're only resolving part of the issue.
Hmm technically likely right, but in security we cannot very well
handle the binNMUs (only if the source is already present there,
otherwise ftp-masters need to inject the sources first).
This is related to
https://wiki.debian.org/DebianSecurity/AdvisoryCreation/SecFull?highlight=%28gen-DSA%29#BinNMUs
and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823820 (well
more broadly to have source available).
Regards,
Salvatore
Reply to: