On Mon, Jul 04, 2005 at 07:18:20PM -0400, Michael Stone wrote: > Ok, let's say wanna-build is ok. I'm not really willing to presume that it is; my preceding question was intended to establish *whether* it was. Besides the fact that blogging about this stuff (apparently *instead* of talking to the involved parties in some cases) with comments like "Debian Security still broken" is bad for morale and far more damaging to Debian's reputation than the circumstances would actually seem to warrant (given that if arm is really the only issue with sarge right now, this is obviously not the first time arm's been a problem, and no one thought a media shitstorm was a good idea until this round!), these blog entries sure don't give *me* enough information to try to be useful. > Let's say everything is ok (I don't know enough about the buildd structure > to claim otherwise). WTF is up then?[1] I've already released two DSA's > without arm, and have 3 more pending. I'd love to know. Wanna-build seems to think that sudo was built fine on arm, and uploaded. I have no way to know from here if the arm .deb visible now on security.debian.org is the same one, or if someone hand-built that. This seems to have only happened today, so of course it's not in the DSA released on the 1 July. There are a few other packages listed by wanna-build as "Installed" on arm for stable-security; that includes ht, qpopper, and a couple that don't appear to have corresponding DSAs yet. I can confirm those for you off-list if you want. > IIRC, there were release criteria for various archs; one release criterion > was n+1 buildd's, and the other was "security updates". Uh, there are proposed release criteria for etch (which Joey has incidentally objected to...). There were no explicit architecture criteria for sarge. Of course security support is essential for released architectures, but there was no real consideration given to dropping architectures for sarge on this basis. > What's the proper course here? Should we expect that someone's working on > fixing arm (and the other things I didn't get into) even in the absence of > any feedback from debian-admin[3] or should we start "unreleasing" > architectures?[4] The difficulty of "unreleasing" an architecture is precisely why I believe we need to place more emphasis on architecture infrastructure during our release cycle. I don't think you should expect that it's being worked on, so much as keeping people in the loop about what's not working... > On Mon, Jul 04, 2005 at 07:18:20PM -0400, Michael Stone wrote: > >[2] Newsflash: sudo and spamassassin stable arm packages have appeared! > >I missed them because they had the wrong date--apparantly the arm buildd > >completed them on 25 Jun, several days before I uploaded anything to > >klecker. I wait with baited breath to see if other arm packages are in a > >similar state. Perhaps stable is sorta fixed and only oldstable is > >terminal? > Never mind, it doesn't look like the arm packages are going to work > after all. Maybe they expired? (Most recent message: the following files > mentioned in the .changes were not found: spamc_3.0.3-2_arm.deb) According to wanna-build, spamassassin is in state "building" since 30 Jun. That could point to a buildd problem. Does the security team sign security autobuilds directly, or do they still have to be signed and uploaded by the buildd admin? -- Steve Langasek postmodern programmer
Attachment:
signature.asc
Description: Digital signature