On Wed, Nov 28, 2018 at 07:52:08AM +0500, Alexander E. Patrakov wrote:
As long as there is one Debian Developer (or any other person who has the
> right to upload binary packages) who has a merged /usr on his system used
> for building packages, there is a risk of reintroducing the bug through his
> package. Maybe we should somehow, in the short term, modify dpkg to add
> something like "Tainted-By: usr-merge" control field to all binary packages
> produced, if a package is built on a system with merged /usr (detected via
> /bin being a symlink).
we have .buildinfo files now which document the packages installed
during build time. If usrmerge is installed it will be there.
> And a corresponding automatic check that would
> auto-reject binary packages with any Tainted-By control field from being
> uploaded to the Debian archive.
we lack that, but thats a simple grep.
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
Attachment:
signature.asc
Description: PGP signature