--- Begin Message ---
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal
Please unblock package debspawn
[ Reason ]
Debspawn is a nspawn-based package builder for Debian with a popcon
value of 52, therefore it would normally migrate in this phase of the
freeze via its autopkgtest.
Unfortunately, that autopkgtest can't currently run on Debian's CI
because Debian has no CI runners which provide machine-level
isolation, a feature that debspawn needs as it will itself spawn
containers and therefore can't run in one (an issue that the CI team
is aware of, but that I didn't know until recently).
The new release in unstable, while being a feature release, fixes two
RC bugs, one being a potential security issue (#989049 - debspawn:
privilege escalation via uid reuse) and one dependency issue (#987547
- missing dependency on dpkg-dev).
In addition to that, the changes also resolve a lot of papercuts and
minor feature requests. They also ready debspawn for using the cgroups
v2 layout, which Debian's systemd uses by default now (and which broke
a few features of debspawn in testing).
[ Impact ]
If the unblock isn't granted, the package would be removed from
testing in 4 days due to its security-issue RC bug, even though it had
a test and technically fit the requirements for migration.
This would lead to sad users and a sad maintainer. Debspawn has no
reverse dependencies though, so no other package would be directly
impacted.
[ Tests ]
The autopkgtest of Debspawn works well locally and apparently does run
well on Ubuntu's CI systems as well.
Furthermore, we are using Debspawn excessively at Purism to build the
PureOS Debian derivative, so the current version has received quite a
bit of real-world testing in building a lot of Debian packages on our
autobuild machines.
[ Risks ]
The package is a leaf package, so any issue will only affect Debspawn.
While new features have been added, they received excessive testing or
were included to resolve other issues (like the new logic to not reuse
UIDs from the host to fix a security issue), therefore the overall
risk for including these changes is low.
[ Other info ]
Upstream NEWS file with all the changes done compared to the version in testing:
Version 0.5.0
~~~~~~~~~~~~~~
Features:
* maintain: Add new flag to print status information
* maintain: status: Include debootstrap version in reports
* docs: Document the `maintain` subcommand
* Install systemd timer to clear all caches monthly
* Unconditionally save buildlog
Bugfixes:
* Rework how external system files are installed
* Include extra data in manifest as well
* Fix image creation if resolv.conf is a symlink
Version 0.4.2
~~~~~~~~~~~~~~
Features:
* Add "maintain" subcommand to migrate or reset settings & state
* Configure APT to not install recommends by default (deb: #987312)
* Retry apt updates a few times to protect against bad mirrors
* Add tmpfiles.d snippet to manage debspawn's temporary directory
* Allow defining custom environment variables for package builds (deb: #986967)
* Add maintenance action to update all images
Bugfixes:
* Interpret EOF as "No" in interactive override question
* Implement privileged device access properly
* Move images to the right default location
* Don't try to bindmound KVM if it doesn't exist
* Use dpkg --print-architecture to determine arch (deb: #987547)
* run: Mount builddir in initialization step
* Don't register any of our nspawn containers by default
* Check system encoding properly (deb: #982793)
* Atomically and safely copy files into unsafe environments
* Run builds as user with a random free UID (deb: #989049)
unblock debspawn/0.5.0-1
--- End Message ---