Russ Allbery wrote:
We had some things break because of a change to buildd configuration that caught some people by surprise.
Well, the buildd configuration change has been reverted. What worries me now is that there is a risk not yet mitigated, coming from personal systems of Debian developers, and we should also check porter boxes.
As long as there is one Debian Developer (or any other person who has the right to upload binary packages) who has a merged /usr on his system used for building packages, there is a risk of reintroducing the bug through his package. Maybe we should somehow, in the short term, modify dpkg to add something like "Tainted-By: usr-merge" control field to all binary packages produced, if a package is built on a system with merged /usr (detected via /bin being a symlink). And a corresponding automatic check that would auto-reject binary packages with any Tainted-By control field from being uploaded to the Debian archive.
P.S. I am not even a Debian Maintainer, so all of the above may be rubbish. Would appreciate a reply that confirms or disproves that my thoughts make any sense.
-- Alexander E. Patrakov
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature