If we take a fresh upstream release directly into a stable release update, then it seems to me that it's important to validate that the orig tarball matches what upstream released, or is otherwise reproducible against what upstream released (eg. if it was repacked for the usual reasons).
It's not currently a documented hard requirement for SRUs, but I think that it should be, or at least be our default position. I've noticed some matter related to this concern a couple of days running so I thought it was time to start a thread on this. When reviewing an SRU that does this, I usually take steps to verify this. If it doesn't match (usually due to a repack I cannot reproduce) then I query it. This is sometimes quite painful to do as I try to track down an upstream source and some way to validate it. We have tooling to make this easy in the majority of cases, with uscan, debian/watch and debian/upstream/signing-key.asc. I usually run `uscan --download-current-version`, check that HTTPS or GPG was used, and that the resulting tarball's hash matches the hash in the upload's changes file. It might help to understand my position in the other thread by considering that I have myself been doing this kind of verification for years when I review SRUs that include orig tarballs. A few discussion points from this: 0) If you don't agree that this is important, then I guess this an opportunity to make your point. 1) If you're preparing a relevant SRU, this is a request for you to please ensure that uscan is set up appropriately with as much security as upstream offer. Preferably this is done and maintained in the development release, so by the time an SRU is required, there are no changes needed to uscan configuration. Since this tooling is well-established and this is best practice anyway, I trust that this isn't a controversial request! Note that uscan can do some repacking via mk-origtargz and Files-Excluded* in debian/copyright. 2) If uscan cannot be made to work, then it would be useful to document how you arrived at the orig tarball you uploaded. 3) To what extent should this become a documented requirement for SRUs, main inclusion, etc? Robie
signature.asc
Description: PGP signature
-- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
