Bug#869184: dpkg: source uploads including _amd64.buildinfo cause problems

[Ivo De Decker]

Hi,

On Fri, Mar 02, 2018 at 01:25:51AM +0100, Guillem Jover wrote:
> On Thu, 2018-03-01 at 15:22:30 +0000, Holger Levsen wrote:
> > On Wed, Jan 24, 2018 at 04:05:39PM +0100, Salvatore Bonaccorso wrote:
> > > Any news regarding this proposal from Ansgar? We were biten now
> > > several times already by this (e.g. php update, curl via
> > > security.d.o).
> > 
> > Guilem, what's your stance on this bug?
> 
> I think it should be fixed. I've just not come up with something that
> would seem a generic/clean way to do that. :(
> 
> > We (reproducible builds) really dont want "our" tools (=.buildinfo files)
> > to cause grief to other teams in Debian, and especially not on a regular
> > basis... so as a first step to fix this, I'd like to collect opinions
> > how to best fix this issue here.
> 
> The problem got introduced when I proposed changing the filename
> format, and dropping the annoying timestamp. I also though there was
> talk at some point initially about DAK renaming those files to cope
> with possible multiple uploads if the conflicting names?
> 
> Renaming the arch buildinfo to _source.buildinfo seems wrong, and even
> then I'm not sure how to cleanly transfer that knowledge from
> dpkg-buildpackage to dpkg-genbuildinfo.
> 
> I guess, the ideal solution would be to qualify the buildinfo file
> with the builder user and hostname, because that in a way denotes the
> build environment. But that seems like too much leakage. As in:
> 
>   pkgfoo_1.0.0-1_mips64el_username at hostname.buildinfo
> 
> Perhaps just using the maintainer email address might be enough though,
> the one from the -m option or from the changelog, which AFAIR buildds
> do set? But this seems like it can produce quite ugly filenames:
> 
>   pkgfoo_1.0.0-1_mips64el_buildd_mipsel-mipsel-sil-01 at buildd.debian.org.buildinfo
> 
> not to mention that both of these "break" the conventional pattern, which
> is still used by things like the debian/files parser and injector.

I submitted a merge request to sbuild to add a suffix like this to the
buildinfo and changes files:

https://salsa.debian.org/debian/sbuild/merge_requests/6

This would work around this issue, without needing any changes in maintainer
workflows.

The suffix could just be 'buildd', no need to have the buildd name in there.
The filename just needs to be different from the filename uploaded by the
maintainer. Obviously it could contain the buildd name if people think that
would be useful.

This change in sbuild only needs to happen on the buildd system. No change is
needed in the build chroots. So it should work for stretch and newer without
the need for changes to dpkg (or any other package) in those releases (jessie
doesn't have buildinfo files).

The patch also adds the suffix to the .changes file, to avoid a similar issue
there. This happens when the maintainer manually removes binaries from a
changes file to do a source-only upload. It would also potentially happen if
dak supported throw-away binaries.

Cheers,

Ivo