On Wed, 2018-11-28 at 09:45 +0000, Holger Levsen wrote: > On Wed, Nov 28, 2018 at 07:52:08AM +0500, Alexander E. Patrakov > wrote: > As long as there is one Debian Developer (or any other person who has the > > right to upload binary packages) who has a merged /usr on his system used > > for building packages, there is a risk of reintroducing the bug through his > > package. Maybe we should somehow, in the short term, modify dpkg to add > > something like "Tainted-By: usr-merge" control field to all binary packages > > produced, if a package is built on a system with merged /usr (detected via > > /bin being a symlink).
There are far more annoying problems that are caused by, for example, building in a really outdated chroot or a chroot for the wrong distribution and so on. (Also the test is wrong, /bin can be a symlink without the system having merged-/usr when the local admin just moved some files around to a more preferred location...) > we have .buildinfo files now which document the packages installed > during build time. If usrmerge is installed it will be there. usrmerge being installed doesn't tell you if a system has merged-/usr or not. Newly installed systems will have merged-/usr, but no usrmerge (as debootstrap creates the symlinks), or usrmerge could be removed after the system has been converted (I did that for my systems). Ansgar
