Dear Debian Developers,
(I am just a Debian user with a few experience on Debian
packaging.)
On Mon, 24 Jun 2024 09:12:54 -0700 Russ Allbery <rra@debian.org> writes:
> For the third purpose, I believe only weak intent information
can be
> derived from the uploader signature today. It is common
practice in Debian
> to verify the Git tree that one wants to upload, run a
package build step,
> and then blindly sign the resulting source package. [...]
I feel this is somehow ... wrong. I think, *currently*, it should
be a moral obligation for a DD to make sure the resulting source
package is correct.
Let me first start from binary Debian packages. I have encountered
bugs on two packages that render the packages completely unusable.
(One of the bug is from a NMU.) The bugs were probably due to
changes in the chaintools. Reproducible builds are useless to
detect them as the same chaintools will result in the same binary
package. Both bugs can easily detected by automatic tests, but
obviously there was no automatic test or the automatic tests did
not cover these cases. And I think there are packages needed
actually using them to test, which I mean install the packages and
start the software. For example start a browser to open a website,
play a video using a video player, etc. In the cases of these
bugs, obviously the Uploaders didn't actually start the program to
test the binary packages as using the program on a simple input
will immediately result in error.
Back to source Debian packages. Consider a workflow that there are
no d/patches/ under the DD's working directory and those patches
under d/patches/ are generated by dgit when building source
package. Now hypothesize that there is a bug in dgit which will
build a source package without d/patches/. If the DD blindly sign
and upload the resulting source package, the defected source
package will go into the archive. There are many messages
mentioned to-be-implemented reproducible builds for source
packages, but I think reproducible builds are useless here,
similar to situation in the previous mentioned bugs. And I didn't
see anyone mentioned something like automatic-souce-package-tests
in threads around tag2upload, so to detect the defected source
package it may need someone actually looks into the source
package. I think it is naturally assumed it should be the DD to do
the check. Although many people claim the source package is an
build artifact, I think the source package is still supposed can
be read by a human, unlike binary packages. I think it is true
especially for patches under d/patches/ as they are very similar
to git commits.
The #4 article of the Debian Social Contract said "We will be
guided by the needs of our users [...]". I believe the needs of
most Debian's users are binary packages, not git repositories. I
guess many Debian's users do not realize there are git
repositories for corresponding binary packages, and some of them
may even do not have a idea about what is git. Many people claim
that a DD's intent is in git repositories when the DD use git to
maintain a package. However due to possible bug/change in the
chaintools, malwares, mistakes or other things, the DD's intent
may not present in the resulted source/binary package. And
*currently* in buildd, binary packages are still built from source
packages. So I think it should be a moral obligation for a DD to
make sure his/her intent is present in the source packages (and
finally present in the binary packages).[1] I know that DDs are
volunteers and it is impossible for them to perform a thorough
inspection of the source package. But I feel that it is lack of
moral obligation that a DD blindly sign the resulting source
package without even spend a few second look what is inside it, if
he/she knows the resulting source package may differ from his/her
intent. And for tag2upload, I think there is the same moral
obligation for a DD even though he/she do not need to sign the
source package.
* To be clear, I think the moral obligation for source package
will not be required if buildd can build binary packages directly
from git, i.e. without source packages.
[1] Although these checks may be tedious and error-prone, I think,
unfortunately, it still need a human to do them.
Regards,
Jun MO