Hi,
On 20/01/2026 22:19, Carlos Henrique Lima Melara wrote:
I've worked on ffmpeg to fix the CVEs in bullseye and prepared the
upload this past weekend. I still need to push the changes to
lts-team/packages/ffmpeg, but one thing needs solving before that.
Currently, if one gbp clone the repo and download the orig tarball from
the Debian archive, it's not possible to build from source. dpkg-source
complains about unexpected changes in the source (I tested with sbuild
and gbp buildpacke --git-builder=sbuild). Looking at the commit history,
things seem very weird:
* ab11aa7496 (HEAD -> debian/bullseye, tag: debian/7%4.3.9-0+deb11u1, ) DLA
7:4.3.9-0+deb11u1
* abe8b709ef Merge tag 'upstream/4.3.9' into debian/bullseye
* 510b685fb2 (tag: debian/7%4.3.8-0+deb11u3) Import Debian changes
7:4.3.8-0+deb11u3
* 669100acac (tag: debian/7%4.3.8-0+deb11u2) Import Debian changes
7:4.3.8-0+deb11u2
|\
| * 2a5add219a (tag: upstream/4.3.8, origin/upstream) Import Upstream version
4.3.8
| * 27873c00e2 Import Upstream version 4.3.8
| * f44990f0bb Import Upstream version 4.3.8
| * 92bc1184a1 Import Upstream version 4.3.8
| * fb1d40307e Import Upstream version 4.3.8
| * d73b06f932 Import Upstream version 4.3.8
| * 986d5d6dae Import Upstream version 4.3.8
| * 42bf744f41 Import Upstream version 4.3.8
| * c4b3ef131d (tag: upstream/4.1.11) Import Upstream version 4.1.11
| * 4582c38aac (tag: upstream/3.2.19) New upstream version 3.2.19
| * bdde3cc254 (tag: upstream/4.1.10) Import Upstream version 4.1.10
| * 01242f962c (tag: upstream/3.2.18) New upstream version 3.2.18
| * 25209261b2 (tag: upstream/3.2.17) New upstream version 3.2.17
| * 23aefd3e4e (tag: upstream/3.2.16) New upstream version 3.2.16
| * 17a25d0b89 (tag: upstream/3.2.15) New upstream version 3.2.15
* d359857ddb (tag: debian/7%4.3.8-0+deb11u1) Release to bullseye
* 27629c17e4 Add CI pipeline for bullseye
* c846ebb84f Add patches for CVE-2024-31578 and CVE-2023-49502
* b8b975d0b6 New upstream release
* 2bac0b5447 Update upstream source from tag 'upstream/4.3.8'
|\
| * d2af485103 New upstream version 4.3.8
* | 2eca5fb979 Import Debian changes 7:4.3.7-0+deb11u1
|\|
| * 288752cf49 Import Upstream version 4.3.7
Here it seems Anton forked the repository for LTS, but incorrectly
created new 'upstream' and 'pristine-tar' branches instead of re-using
the existing ones ('upstream/$dist'). We now have bullseye imports on 2
upstream branches.
Then I guess Emilio didn't push the upstream/4.3.8 tag when importing
4.3.8-0, and also switched back to the original 'upstream/bullseye'
branch, perhaps by starting his work on the original ffmpeg repo.
Then Thorsten imported deb11u2.dsc, without noticing the missing tag,
creating a separate identical import. (Then probably did multiple
imports while finalizing the upload, and incorrectly dropping the new
upstream tag each time.)
Last, Adrian appears to have imported 4.3.9 manually, the merge commit
doesn't point to a branch. But incorrectly, as even '/VERSION' is still
at de-sync'd 4.3.8. This is what's causing the GBP build failure.
That's quite a lot of issues.
Overall our repo is in quite a bad shape.
Generally speaking, I avoid force pushing by all means necessary,
specially if things just look weird in the history. The problem is that
one can't build from source from this git repo so I don't think there is
a point trying hard to keep the history, specially since they were just
gbp import-dsc after d359857ddb. So I did re-import the dscs from
snapshot.d.o under my own salsa namespace and worked there to prepare
the new bullseye release. Are we ok with force pushing this new history
there? Mind that only the commits after d359857ddb were changed. The new
tree looks like this:
* f89aa674 (HEAD -> debian/bullseye, origin/debian/bullseye) Update changelog
for 7:4.3.9-0+deb11u2 release
* 56822e3e d/p/CVE-2025-63757.patch: cherry-pick from upstream
* ebb6262e d/salsa-ci.yml: add (E)LTS pipeline for bullseye
* ebf6632d d/p/CVE-2025-10256.patch: backport from upstream
* e49dddaa d/p/fix-use-of-uninitialized-memory.patch: cherry-pick from upstream
* f8fd00a7 d/p/CVE-2025-9951-{1,2}.patch: cherry-pick from upstream
* ef810fa8 d/p/CVE-2025-7700.patch: backport from upstream
* f05f8f58 d/p/CVE-2025-1594.patch: cherry-pick from upstream
* dfe8140a d/p/CVE-2024-36615-2.patch: backport regression fix from upstream
* 9c10a040 d/p/CVE-2024-36615-1.patch: backport from upstream
* c5bf626b d/p/CVE-2023-6603.patch: cherry-pick from upstream
* ed5fddfa Import Debian changes 7:4.3.9-0+deb11u1
|\
| * d247ffd1 (tag: upstream/4.3.9, origin/upstream/bullseye) Import Upstream
version 4.3.9
* | 69d942c7 Import Debian changes 7:4.3.8-0+deb11u3
* | bc93ee60 Import Debian changes 7:4.3.8-0+deb11u2
* | d359857d Release to bullseye
* | 27629c17 Add CI pipeline for bullseye
* | c846ebb8 Add patches for CVE-2024-31578 and CVE-2023-49502
* | b8b975d0 New upstream release
* | 2bac0b54 Update upstream source from tag 'upstream/4.3.8'
|\|
| * d2af4851 New upstream version 4.3.8
* | 2eca5fb9 (tag: debian/7%4.3.7-0+deb11u1) Import Debian changes
7:4.3.7-0+deb11u1
|\|
| * 288752cf (tag: upstream/4.3.7) Import Upstream version 4.3.7
I checked out https://salsa.debian.org/charles/ffmpeg.
We're missing 'upstream/4.3.8' and 'debian/4.3.8*' tags.
We need to update 'pristine-tar' with the new 4.3.x upstream releases.
I'm in favor of force-pushing, as too many issues piled-up, and this is
error-prone for future uploads.
We might want to completely ditch our repository and re-import
debian/buster and debian/stretch as well, as they still point to Anton's
separate 'upstream' and 'pristine-tar' branches.
Cheers!
Sylvain
