[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: 32bit arch packages are built with wrong ownership due to fakeroot bug

On Fri, 10 Feb 2023 at 03:18:16 +0100, Johannes Schauer Marin Rodrigues wrote:
> Quoting Santiago Vila (2023-02-09 17:32:08)
> > - No intervention from individual maintainers is required for fixing this, as
> > we already have a binNMU mechanism which we already use for transitions.
> Once fakeroot is fixed, binNMUs can be used to fix packages, yes. Without the
> fakeroot fix in place, individual maintainers could do things to fix their
> packages on the affected architectures but I do not think doing so is a good
> idea.

There is one thing that maintainers can do to fix their packages on the
affected architectures that I think *might* be a good idea: if their
package builds correctly with Rules-Require-Root: no, they could add that
field, resulting in fakeroot not being used.

The safe way to do this (helped by all the work that has gone into making
our builds more reproducible-by-default) is:

- build the package as-is, and copy the resulting binaries as a reference
- add Rules-Require-Root: no
- build the package again in the same environment
- compare the two sets of binaries with diffoscope
- if there are no differences other than the .buildinfo, then
  Rules-Require-Root: no is OK to use
- if there are differences, investigate them, and do not upload if unsure

If we weren't so close to soft freeze, I would be saying maintainers
of affected packages should at least try this, because it permanently
avoids fakeroot-related issues for that package; but for the minority
of packages where it's wrong to use Rules-Require-Root, that could lead
to regressions, which makes me less confident about that advice.


Reply to: