Hi,
On 27/05/2025 14:06, Sean Whitton wrote:
Hello release team,
How do you detect packages that need rebuilding in stable releases
because they have outdated Built-Using? Sylvain Beucler of the LTS team
noted that we may need to do this for bullseye because we have updated
glibc.
If there are already scripts to do this, it would be great if you could
direct me to them. Thanks.
Probably something like:
# apt-cache dumpavail | \
grep-dctrl \
-F Built-Using 'glibc' -a \
'(' --not -F Architecture all ')' \
-s Source,Package,Version
Package: aide
Version: 0.17.3-4+deb11u2
Source: bash
Package: bash-static
Version: 5.1-2+deb11u1
Source: cdebootstrap (0.7.8)
Package: cdebootstrap-static
Version: 0.7.8+b3
Source: chkrootkit (0.54-1)
Package: chkrootkit
Version: 0.54-1+b2
Source: dar (2.6.13-2)
Package: dar-static
Version: 2.6.13-2+b3
Package: debian-installer
Version: 20210731+deb11u12
Source: sash (3.8-5)
Package: sash
Version: 3.8-5+b13
Source: tripwire (2.4.3.7-3)
Package: tripwire
Version: 2.4.3.7-3+b3
Source: zsh
Package: zsh-static
Version: 5.8-6+deb11u1
Source: zutils (1.10-1)
Package: zutils
Version: 1.10-1+b2
Source: busybox
Package: busybox-static
Version: 1:1.30.1-6+deb11u1
Package: docker.io
Version: 20.10.5+dfsg1-1+deb11u4
Source: qemu
Package: qemu-user-static
Version: 1:5.2+dfsg-11+deb11u4
then manually checking the last upload date, and evaluating the CVE impact.
Some more packages are selected without "--not -F Architecture all",
including debian-installer-netboot-images and
cross-toolchain-base-ports, but we don't have to rebuild everything,
only those we think may be impacted by fixed CVEs.
Note: Built-Using is less exhaustive in older (ELTS) releases.
See also
https://lts-team.pages.debian.net/wiki/TestSuites/golang.html#identify-reverse-build-dependencies
This is tracked through
https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/227
Cheers!
Sylvain Beucler
Debian LTS Team
