The news are collected on https://wiki.debian.org/DeveloperNews
Please contribute short news about your work/plans/subproject.
In this issue:
+ Debian buildds are using sbuild with unshare now
+ sbuild chroot manager for unshare backend users
+ Building packages with make --shuffle
+ debian.org: Support for Security Key-backed SSH keys
Debian buildds are using sbuild with unshare now
------------------------------------------------
The wanna-build team switched all buildds to the sbuild unshare backend
for trixie/sid/experimental plus *-backports. This means that official
Debian builds now run as non-root user and rely on user namespaces
instead of schroot. In addition this blocks any network access during
the build as per Debian policy 4.9.
Prior to the switch Santiago Vila did test rebuilds of all packages and
bugs have been filed:
https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=unshare;users=debian-wb-team@lists.debian.org
Help is welcome to fix the remaining bugs.
We recommend all developers to use sbuild with unshare as well.
Notes on how to set it up as well as hints for custom usage are collected
on the Wiki:
https://wiki.debian.org/sbuild
-- Jochen Sprickerhof
sbuild chroot manager for unshare backend users
-----------------------------------------------
After installing sbuild 0.87.0 or later from unstable, you can now build
packages without any additional setup. With an empty ~/.sbuildrc and
with no chroot tarballs in ~/.cache/sbuild, just run this to build the
"hello" source package:
sbuild --chroot-mode=unshare --dist=unstable hello
To keep the dynamically created chroot tarball for subsequent builds, you
can make this configuration permanent by putting this into your
~/.sbuildrc:
$chroot_mode = 'unshare';
$unshare_mmdebstrap_keep_tarball = 1;
Whenever a chroot tarball doesn't exist yet, or whenever an existing
tarball is too old, sbuild will take care of creating one for you
automatically. If you want to customize the contents of the tarballs
sbuild creates, read the documentation of UNSHARE_MMDEBSTRAP_EXTRA_ARGS
in sbuild.conf(5).
The new chroot management functionality is marked as experimental and any
feedback is very much appreciated.
-- Johannes Schauer Marin Rodrigues
Building packages with make --shuffle
-------------------------------------
I've built trixie/sid using make's new --shuffle option from make 4.4.x.
This option is explained by the author here:
https://trofi.github.io/posts/238-new-make-shuffle-mode.html
There are more than 800 packages with Makefile issues. I've created this
page with build logs, a dd-list, and a short explanation of how you can
do the same using sbuild:
https://people.debian.org/~sanvila/make-shuffle/
Not filing bugs yet, because there are too many, but everyone is
welcome to fix their own packages as part of their routine QA checks
(i.e. if you care about your package being lintian clean and
reproducible, you might want to care about your makefiles being
correct too).
Special thanks go to Víctor Seva, who reduced the number of
affected packages (no longer in the list) by 85 by fixing several issues
in dh-lua, and of course also to Sergei Trofimovich, who implemented
--shuffle option in make in the first place.
-- Santiago Vila
debian.org: Support for Security Key-backed SSH keys
----------------------------------------------------
debian.org's mail gateway now allows DDs and guests to add SSH keys of
the types sk-ecdsa-sha2-nistp256@openssh.com and
sk-ssh-ed25519@openssh.com to their LDAP accounts. Keys of these types
are backed by hardware tokens and generally require a physical touch for
SSH access. As such they provide stronger assurances about humans
accessing our infrastructure.
-- Philipp Kern
Attachment:
signature.asc
Description: PGP signature