Re: binNMU or reproducible builds (choose only one)

To: Santiago Vila <sanvila@unex.es>, debian-devel@lists.debian.org
Subject: Re: binNMU or reproducible builds (choose only one)
From: Niels Thykier <niels@thykier.net>
Date: Thu, 17 Sep 2015 22:26:11 +0200
Message-id: <[🔎] 55FB21E3.3020301@thykier.net>
In-reply-to: <[🔎] alpine.DEB.2.11.1509172151150.19080@cantor.unex.es>
References: <[🔎] alpine.DEB.2.11.1509172151150.19080@cantor.unex.es>

On 2015-09-17 22:02, Santiago Vila wrote:
> Hello.
> 

Hi,

> I see "serious" bug reports asking for packages to drop
> "dh_installdocs --link-doc" (see Bug #799316 for an example).
> 

To clarify (for those who haven't read the bug): I requested that
--link-doc between arch:any AND arch:all packages was removed.  I made
no requests to drop --link-doc between the two arch:any packages.

> However, binNMUs break the reproducibility of the packages being
> NMUed, since apparently the requirement of providing the *exact*
> source code that was used for the *.deb is "relaxed" for the packages
> being NMUed.
> 

The current implementation might not be reproducible-safe, and we should
probably patch.  However, I do not see why binNMUs contradicts
reproducible builds in general.

> I wonder: Instead of forbidding "dh_installdocs --link-doc", which I
> consider a useful feature that should not be dropped lightly, why
> don't we just do source-full NMUs that do not change anything?
> 

binNMUs are much more lightweight than source-full NMUs.  Notably:

 * They are not subject to the NMU policy which involves delays
   - These are certainly politics that could be changed, but ...

 * Scheduling a binNMU is a simple command that involves nothing from
   the person scheduling beyond running it.
   - Certainly the tool could be patched/replaced, but notably, you
     do not have to sign/upload things for this to work.

Again, not saying it could not be changed, but binNMUs are used fairly
often.  Having to download the source code, add a changelog entry and
sign the result would make any non-trivial transition a living hell.

To put this into perspective, the perl 5.22 transition involves ~570
packages.  We expect to be able to binNMU the vast majority of those -
that is a lot of time saved by binNMUing rather than having to download,
unpack, dch -r "", pack, sign and dput.

> [...]
> 
> Maybe I'm missing anything, but why do we *need* to break existing
> dh_installdocs practice?
> 
> Thanks.
> 

The use of dh_installdocs --link-doc between arch:any and arch:all has
up to now always been "broken" (read: binNMU unsafe).  If we were to
replace the binNMU implementation with something that ensured lock-step
versions between arch:all and arch:any packages, it could start work.

Thanks,
~Niels

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: binNMU or reproducible builds (choose only one)
  - From: Santiago Vila <sanvila@unex.es>
- Re: binNMU or reproducible builds (choose only one)
  - From: Wouter Verhelst <wouter@debian.org>

References:
- binNMU or reproducible builds (choose only one)
  - From: Santiago Vila <sanvila@unex.es>

Prev by Date: binNMU or reproducible builds (choose only one)
Next by Date: Re: binNMU or reproducible builds (choose only one)
Previous by thread: binNMU or reproducible builds (choose only one)
Next by thread: Re: binNMU or reproducible builds (choose only one)
Index(es):
- Date
- Thread