Re: source uploads are no problem (but binNMUs are)

To: debian-devel@lists.debian.org
Subject: Re: source uploads are no problem (but binNMUs are)
From: Adrian Bunk <bunk@debian.org>
Date: Sun, 30 Nov 2025 02:02:18 +0200
Message-id: <[🔎] aSuJimXF37Ghx3Wm@localhost>
In-reply-to: <[🔎] aSra5m7fOVNEtzwB@layer-acht.org>
References: <[🔎] 91d8b710-3083-4f87-85b4-835b4fff7c7c@app.fastmail.com> <[🔎] 20251127180728.GA445509@subdivi.de> <[🔎] aSkx9tObAFZd34W1@localhost> <[🔎] a766861c-530f-426f-adb6-5ddf302a2641@debian.org> <[🔎] aSohHA9Ma2zlNBaH@localhost> <[🔎] aSra5m7fOVNEtzwB@layer-acht.org>

On Sat, Nov 29, 2025 at 11:37:10AM +0000, Holger Levsen wrote:
> On Sat, Nov 29, 2025 at 12:24:28AM +0200, Adrian Bunk wrote:
> > How do you generate and sign potentially hundreds or thousands of 
> > sourceful uploads for these dependent packages?
> > 
> > binNMUs are not possible when these dependent packages are arch:all.
>  
> for i in $list_of_src_pkgs ; do
> 	mkdir t ; cd t
> 	apt source $i
> 	cd $i-*
> 	dch --some-params
> 	debuild -S
> 	cd ..
> 	debsign *changes

If this was the way for doing regular binNMUs, then the members of the
security and release teams doing such binNMUs must not use a more secure
setup where every signature requires a password or keypress.

> 	dput *changes
> 	cd ..
> done
> 
> this is not rocket science. I have done that with 10% of the
> archive, that is >3000 sources packages and uploads.

A member of the release team doing a regular "Rebuild for outdated 
Built-Using" binNMU round today would binNMU 551 source packages.[1]

Including Static-Built-Using this would be 681 source packages.

Add binary-all (including "Built-Using: sphinx") and fixing all the 
packages that are doing static linking without (Static-)Built-Using,
then 3000 sources packages might be a normal number for a regular 
"Rebuild for outdated Built-Using" round in unstable.

Rebuilding the Haskell ecosystem in Debian for a CVE in src:ghc would 
require binNMUs to >1000 packages already in trixie, this is different
from Built-Using and not counted above.

For a one-off rebuild of >3000 packages I would do the same as you did,
but upload+download of >1000 packages for regular Built-Using rebuilds
in unstable or a DSA would not be a good solution.

> I also believe dgit makes this even easier, but I have not tried that yet.
> 
> I guess I'd welcome the need of having to do 23 of such uploads so that
> someone shows how to do this with dgit and this boring argument becomes mood.
> 
> I also think we *still* need a better way to do binNMUs for all archs because
> binNMUs have other problems, see #894441 and friends.

IMHO the proper solution would be a dcut command that sends a list of 
source binNMUs and dak then creates them, because:
- dak already has the sources
- dak already has a trusted private key
- dak already has a command interface that could be used

> cheers,
> 	Holger

cu
Adrian

[1] only counting packages whose Built-Using are actually outdated,
    and that do not have RC ftbfs bugs

Reply to:

References:
- new rustc targets that don't match Debian architectures
  - From: Fabian Grünbichler <debian@fabian.gruenbichler.email>
- Re: new rustc targets that don't match Debian architectures
  - From: Helmut Grohne <helmut@subdivi.de>
- Re: new rustc targets that don't match Debian architectures
  - From: Adrian Bunk <bunk@debian.org>
- Re: new rustc targets that don't match Debian architectures
  - From: Simon Richter <sjr@debian.org>
- Re: new rustc targets that don't match Debian architectures
  - From: Adrian Bunk <bunk@debian.org>
- source uploads are no problem (but binNMUs are)
  - From: Holger Levsen <holger@layer-acht.org>

Prev by Date: Re: Systemd service hardening project
Next by Date: Bug#1121671: ITP: xapp-symbolic-icons -- Set of symbolic icons for GTK applications
Previous by thread: source uploads are no problem (but binNMUs are)
Next by thread: Re: source uploads are no problem (but binNMUs are)
Index(es):
- Date
- Thread