Bug#904302: Whether vendor-specific patch series should be permitted in the archive [and 1 more messages]

To: Sam Hartman <hartmans@debian.org>, 904302@bugs.debian.org
Cc: Philip Hands <phil@hands.com>, Adrian Bunk <bunk@debian.org>
Subject: Bug#904302: Whether vendor-specific patch series should be permitted in the archive [and 1 more messages]
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Fri, 5 Oct 2018 14:45:59 +0100
Message-id: <[🔎] 23479.27415.936116.192617@chiark.greenend.org.uk>
Reply-to: Ian Jackson <ijackson@chiark.greenend.org.uk>, 904302@bugs.debian.org
In-reply-to: <[🔎] tslmursr2ho.fsf@suchdamage.org>
References: <877ekztkew.fsf@err.no> <87sh2aelmf.fsf@err.no> <87mushdxgz.fsf@hands.com> <87efdqo9j6.fsf@err.no> <871s9pek5g.fsf@hands.com> <[🔎] 20181003194111.GA9620@localhost> <87o9eyeofq.fsf@silentflame.com> <[🔎] 23478.2120.329278.218902@chiark.greenend.org.uk> <[🔎] 8736tlmv3g.fsf@hands.com> <[🔎] 20181004194806.GB5131@localhost> <[🔎] 87woqwlwfo.fsf@hands.com> <[🔎] 23479.18829.244474.328012@chiark.greenend.org.uk> <[🔎] tslmursr2ho.fsf@suchdamage.org> <87o9eyeofq.fsf@silentflame.com>

Sam Hartman writes ("Bug#904302: Whether vendor-specific patch series should be permitted in the archive [and 1 more messages]"):
> So imagine that Ubuntu and several other downstreams care more about
> security and hardening than they do about backward compatibility and
> they choose to change a number of gcc and other tool defaults in support
> of that.  I realize my example is not entirely hypothetical, but I want
> to emphasize I have not researched to get all the details right, because
> it doesn't matter.
> 
> Especially if multiple downstreams or individual users who build from
> source might want the change, I think carrying the delta in  the Debian
> source package can be valuable.  It needs to be balanced against a lot
> of other concerns.

I agree that carrying a switch-on-able delta in the Debian package
would be a good thing there.  So, the meat of the change should
definitely go to Debian or maybe even to upstream as a
--with-extra-hardening configure option or some such.

This should be enabled via DEB_BUILD_OPTIONS, or a commented-out line
in the rules file, or by reading /etc/compilers/hardening-enabled at
build- or runtime, or something.  Not by looking at `the vendor'.

A scenario why this is needed can be seen from this scenario:

Suppose someone wants to try to maintain a distro which is like
Debian, but which takes some subset of packages from Raspbian.

The obvious way to do this is to import most packages from Debian and
the other packages from Raspbian, and to fix up the bugs which occur
at the interface.

If packages in Debian and Raspbian use dpkg-vendor --is raspbian to
decide whether to do the Raspbian thing, then there is no way to make
this work because there is no correct answer: the answer to whether a
package should do the Raspbian thing depends not only on which distro
we are building or running on, but on which package it is.

In practice if I were maintaining that distro I would be tempted do
some kind of hideous hack to make the output of dpkg-vendor depend on
the name of package we were building.  Because how else will I do it ?
Playing whack-a-mole with dpkg-vendor calls would be impractical.

If the Raspbian-specific features are enabled by carrying a changed
source package in Raspbian, then things will mostly DTRT and generally
problems will occur only when the delta-enablement is done via some
kind of indirection, and the indirection messily crosses the `cutoff'
between the Raspbian-originated and Debian-originated packages.

Ie I only have to manually fix the problems that irreducible, not ones
introduced by ill-advised calls to dpkg-vendor.

> And yes, in many cases dgit is the answer.  That said, if I were
> maintaining the same package both for Debian and for the downstream I
> work on, I might well value having a single source tree enough to use
> dpkg-vendor or lsb-release or something to switch.

In that case, that is convenient for you but it is wrong for your
downstreams and users.  We should be discouraging such tradeoffs.

Ian.

-- 
Ian Jackson <ijackson@chiark.greenend.org.uk>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

Reply to:

References:
- Bug#904302: Whether vendor-specific patch series should be permitted in the archive
  - From: Adrian Bunk <bunk@debian.org>
- Bug#904302: Whether vendor-specific patch series should be permitted in the archive
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Bug#904302: Whether vendor-specific patch series should be permitted in the archive
  - From: Philip Hands <phil@hands.com>
- Bug#904302: Whether vendor-specific patch series should be permitted in the archive
  - From: Adrian Bunk <bunk@debian.org>
- Bug#904302: Whether vendor-specific patch series should be permitted in the archive
  - From: Philip Hands <phil@hands.com>
- Bug#904302: Whether vendor-specific patch series should be permitted in the archive [and 1 more messages]
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Bug#904302: Whether vendor-specific patch series should be permitted in the archive [and 1 more messages]
  - From: Sam Hartman <hartmans@debian.org>

Prev by Date: Bug#904302: Whether vendor-specific patch series should be permitted in the archive [and 1 more messages]
Next by Date: Bug#904558: What should happen when maintscripts fail to restart a service
Previous by thread: Bug#904302: Whether vendor-specific patch series should be permitted in the archive [and 1 more messages]
Next by thread: Bug#904302: Whether vendor-specific patch series should be permitted in the archive [and 1 more messages]
Index(es):
- Date
- Thread