Re: maintainer-built binaries

To: Paul Wise <pabs@debian.org>
Cc: debian-dak@lists.debian.org
Subject: Re: maintainer-built binaries
From: Ansgar <ansgar@43-1.org>
Date: Mon, 02 Dec 2019 19:08:35 +0100
Message-id: <[🔎] 87sgm2lhwc.fsf@marvin.43-1.org>
Mail-followup-to: Paul Wise <pabs@debian.org>, debian-dak@lists.debian.org
In-reply-to: <5ec2e979cd7d7ec9bf386fbf77e3399c7aeeb473.camel@debian.org> (Paul Wise's message of "Sat, 30 Nov 2019 15:17:45 +0800")
References: <5ec2e979cd7d7ec9bf386fbf77e3399c7aeeb473.camel@debian.org>

Paul Wise writes:
> I was looking at the TODO item about maintainer built binaries.
>
> The simplest way to discard maintainer built binaries appears to be
> that any sourceful uploads should get any associated binaries ignored.
> This should make NEW work the same as it does now, make almost all
> binary uploads come from buildds but not block maintainers from doing
> binary-only uploads where maintainer-built binaries are needed, such as
> for language bootstrap after NEW processing or later where needed.

If you discard binaries from sourceful uploads, they won't be available
for NEW processing.

If you discard binaries after they were in NEW, you create race
conditions as a file with the same name will be uploaded by buildds.
(Also I suspect it would make version tracking to enforce newer uploads
always have a higher version than previous uploads, even when binaries
were removed in between, more complicated.)

It also means maintainers would have to upload binaries twice some
times (before and after NEW processing).

I'm not sure if it isn't better to eventually switch to source-only
uploads for NEW instead.

> I think the right way to implement that is that the ArchiveUpload
> _install_to_suite function that installs an upload to a suite should
> ignore such binaries when the discard binaries option is on.

No, that is before NEW.

> Do we want to keep the maintainer-built binaries somewhere for future
> audit purposes such as to enforce reproducible builds?

If we had reproducible builds, we really wouldn't need to throw away
maintainer-built binaries anyway as buildds would produce the same
result ;-)

But yes, anything that was in the archive should be kept for audit
purposes (we even keep rejected stuff).

> Do we want to flag the maintainer-built binary-only uploads for future
> audit purposes such as to ensure they are only used for bootstrap?

What sort of bootstrap?

Please keep in mind that some packages will not get built by buildds
anyway, such as some non-free stuff (not building them on buildds is the
default for non-free).

> Do we want to disallow maintainer-built binary-only uploads by DMs?

I don't think we should treat DMs much different from DDs.

Ansgar

Reply to:

Follow-Ups:
- Re: maintainer-built binaries
  - From: Paul Wise <pabs@debian.org>
- Re: maintainer-built binaries
  - From: Ivo De Decker <ivodd@debian.org>

Next by Date: Re: maintainer-built binaries
Next by thread: Re: maintainer-built binaries
Index(es):
- Date
- Thread