Dear Debian Developers,
(I am just a Debian user with a few experience on Debian packaging.)
On Mon, 24 Jun 2024 09:12:54 -0700 Russ Allbery <r...@debian.org
<mailto:rra%40debian.org>> writes:
> For the third purpose, I believe only weak intent information can be
> derived from the uploader signature today. It is common practice in
Debian
> to verify the Git tree that one wants to upload, run a package build
step,
> and then blindly sign the resulting source package. [...]
I feel this is somehow ... wrong. I think, *currently*, it should be a
moral obligation for a DD to make sure the resulting source package is
correct.
Let me first start from binary Debian packages. I have encountered bugs
on two packages that render the packages completely unusable. (One of
the bug is from a NMU.) The bugs were probably due to changes in the
chaintools. Reproducible builds are useless to detect them as the same
chaintools will result in the same binary package. Both bugs can easily
detected by automatic tests, but obviously there was no automatic test
or the automatic tests did not cover these cases. And I think there are
packages needed actually using them to test, which I mean install the
packages and start the software. For example start a browser to open a
website, play a video using a video player, etc. In the cases of these
bugs, obviously the Uploaders didn't actually start the program to test
the binary packages as using the program on a simple input will
immediately result in error.
Back to source Debian packages. Consider a workflow that there are no
d/patches/ under the DD's working directory and those patches under
d/patches/ are generated by dgit when building source package. Now
hypothesize that there is a bug in dgit which will build a source
package without d/patches/. If the DD blindly sign and upload the
resulting source package, the defected source package will go into the
archive. There are many messages mentioned to-be-implemented
reproducible builds for source packages, but I think reproducible builds
are useless here, similar to situation in the previous mentioned bugs.
And I didn't see anyone mentioned something like
automatic-souce-package-tests in threads around tag2upload, so to detect
the defected source package it may need someone actually looks into the
source package. I think it is naturally assumed it should be the DD to
do the check. Although many people claim the source package is an build
artifact, I think the source package is still supposed can be read by a
human, unlike binary packages. I think it is true especially for patches
under d/patches/ as they are very similar to git commits.
The #4 article of the Debian Social Contract said "We will be guided by
the needs of our users [...]". I believe the needs of most Debian's
users are binary packages, not git repositories. I guess many Debian's
users do not realize there are git repositories for corresponding binary
packages, and some of them may even do not have a idea about what is
git. Many people claim that a DD's intent is in git repositories when
the DD use git to maintain a package. However due to possible bug/change
in the chaintools, malwares, mistakes or other things, the DD's intent
may not present in the resulted source/binary package. And *currently*
in buildd, binary packages are still built from source packages. So I
think it should be a moral obligation for a DD to make sure his/her
intent is present in the source packages (and finally present in the
binary packages).[1] I know that DDs are volunteers and it is impossible
for them to perform a thorough inspection of the source package. But I
feel that it is lack of moral obligation that a DD blindly sign the
resulting source package without even spend a few second look what is
inside it, if he/she knows the resulting source package may differ from
his/her intent. And for tag2upload, I think there is the same moral
obligation for a DD even though he/she do not need to sign the source
package.
* To be clear, I think the moral obligation for source package will not
be required if buildd can build binary packages directly from git, i.e.
without source packages.
[1] Although these checks may be tedious and error-prone, I think,
unfortunately, it still need a human to do them.
Regards,
Jun MO
