Bug#709218: developers-reference: adjust versioning convention note for security updates

[Raphael Hertzog]

On Tue, 21 May 2013, Salvatore Bonaccorso wrote:
> In #685646 the advise for versioning for {stable,testing}{,-security}
> uploads was adjusted. In [1] there is a missing bit for it refering to
> the older convention +codename1. I tried to address this change in
> attached patch.

Thanks, applied.

-- 
Raphaël Hertzog ◈ Debian Developer

Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/


-- 
To UNSUBSCRIBE, email to debian-policy-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130522084257.gf12...@x230-buxy.home.ouaza.com

Processed: limit source to developers-reference, tagging 709218

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> #developers-reference (3.4.11) UNRELEASED; urgency=low
> #
> #  * Update versioning advice for security uploads as well. Closes: #709218
> #Thanks to Salvatore Bonaccorso for the patch.
> #
> limit source developers-reference
Limiting to bugs with field 'source' containing at least one of 
'developers-reference'
Limit currently set to 'source':'developers-reference'

> tags 709218 + pending
Bug #709218 [developers-reference] developers-reference: adjust versioning 
convention note for security updates
Added tag(s) pending.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
709218: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=709218
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-policy-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/handler.s.c.136921217213469.transcr...@bugs.debian.org

Re: Bug#709382: mksh: broken Built-Using handling

[Thorsten Glaser]

Sune Vuorela dixit:

>The handling of built-using is wrong. It is not meant to encode the
>compiler used, nor binutils or kernel headers should be recorded there

Policy 3.9.4 §7.8 says:

 Some binary packages incorporate parts of other packages when built
 but do not have to depend on those packages.  Examples include linking
 with static libraries or incorporating source code from another

>It is specifically for building against -source packages and for hacks
>like ia32libs where binaries are copied into a source package. Not for
>'everything'.

In this specific case, there are one to two statically linked
programs there. In some cases, they link statically against a
GPL licenced library. So my current interpretation of the text
from Policy above says that Built-Using is indeed required there.

>What you effectively are doing is asking for a mksh rebuild on each

No, just that dak keeps the source versions around for longer.
A final rebuild near the end of the freeze should be enough,
if it is indeed needed at all. (If dak just keeps the relevant
source packages at hand, and they end up on the source CDs, I
believe all requirements are met, and IIRC reading that this,
not rebuilding, is how things are handled on Debian side; the
only requirement is that, upon a binary *entering* the archive,
the source packages in that precise version must be known to
dak, i.e. not already superseded (by newer version, NBFAS or
removal); once a package B-Us them they will not be removed.

I’m closing this as not a bug. Please feel free to file a bug
against the Policy wording in the meantime; as things are now,
the wording specifically includes statically linked binaries.

The composition of B-U in mksh is as follows:

• mksh-static is always built statically;
  either against klibc (plus linux-libc-dev and libgcc),
  or against dietlibc (plus libgcc),
  or against eglibc (plus libgcc)

• lksh is built statically if klibc or dietlibc are
  available, with the same “plus” as above

• the build script records what was actually put into
  the binaries, gets the appropriate source package
  relationships from that and puts it into Built-Using

In the dietlibc case at the very least (since it’s GPL;
would have to look closer at others), the resulting binary
is fully covered by the requirement of the GPL that its
precise and complete sources be available.


I don’t mind changing this *at all*, but I can only do
that (justifiedly) if it’s not against what I believe
to interpret Policy correctly (especially since it
specifically lists static linkage), or if there’s a
CTTE resolution asking me to change it. I’ve had more
troubles with this B-U ever since using it in experi‐
mental, so… really, no argument from me, just following
Policy (with some background in licencing and toolchains).

bye,
//mirabilos
-- 
I believe no one can invent an algorithm. One just happens to hit upon it
when God enlightens him. Or only God invents algorithms, we merely copy them.
If you don't believe in God, just consider God as Nature if you won't deny
existence.  -- Coywolf Qi Hunt


--
To UNSUBSCRIBE, email to debian-policy-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/pine.bsm.4.64l.130518500.12...@herc.mirbsd.org

Re: Bug#709382: mksh: broken Built-Using handling

[Russ Allbery]

Thorsten Glaser  writes:

> In this specific case, there are one to two statically linked programs
> there. In some cases, they link statically against a GPL licenced
> library. So my current interpretation of the text from Policy above says
> that Built-Using is indeed required there.

Per previous discussion on debian-devel, the Policy text is too aggressive
and, read literally, encourages people to do things we definitely do not
want them to do, such as add Build-Using for libgcc.

We need to get the Policy text fixed.

In the meantime, please don't add Built-Using for libgcc.  The libgcc
license does not require it, due to the runtime exception, and essentially
every package in the archive would acquire a Built-Using if it were used
for libgcc.

I haven't looked at the situation for static linking with eglibc or the
other libc implementations you reference.  The general consensus on
debian-devel (at least as I understood it) was to only use Built-Using
when there's some licensing reason why we need to keep the referenced
package.

-- 
Russ Allbery (r...@debian.org)   


-- 
To UNSUBSCRIBE, email to debian-policy-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87k3mqfx2i@windlord.stanford.edu