Package: release.debian.org User: release.debian....@packages.debian.org Usertags: unblock Severity: normal
Please unblock package debspawn [ Reason ] Debspawn is a nspawn-based package builder for Debian with a popcon value of 52, therefore it would normally migrate in this phase of the freeze via its autopkgtest. Unfortunately, that autopkgtest can't currently run on Debian's CI because Debian has no CI runners which provide machine-level isolation, a feature that debspawn needs as it will itself spawn containers and therefore can't run in one (an issue that the CI team is aware of, but that I didn't know until recently). The new release in unstable, while being a feature release, fixes two RC bugs, one being a potential security issue (#989049 - debspawn: privilege escalation via uid reuse) and one dependency issue (#987547 - missing dependency on dpkg-dev). In addition to that, the changes also resolve a lot of papercuts and minor feature requests. They also ready debspawn for using the cgroups v2 layout, which Debian's systemd uses by default now (and which broke a few features of debspawn in testing). [ Impact ] If the unblock isn't granted, the package would be removed from testing in 4 days due to its security-issue RC bug, even though it had a test and technically fit the requirements for migration. This would lead to sad users and a sad maintainer. Debspawn has no reverse dependencies though, so no other package would be directly impacted. [ Tests ] The autopkgtest of Debspawn works well locally and apparently does run well on Ubuntu's CI systems as well. Furthermore, we are using Debspawn excessively at Purism to build the PureOS Debian derivative, so the current version has received quite a bit of real-world testing in building a lot of Debian packages on our autobuild machines. [ Risks ] The package is a leaf package, so any issue will only affect Debspawn. While new features have been added, they received excessive testing or were included to resolve other issues (like the new logic to not reuse UIDs from the host to fix a security issue), therefore the overall risk for including these changes is low. [ Other info ] Upstream NEWS file with all the changes done compared to the version in testing: Version 0.5.0 ~~~~~~~~~~~~~~ Features: * maintain: Add new flag to print status information * maintain: status: Include debootstrap version in reports * docs: Document the `maintain` subcommand * Install systemd timer to clear all caches monthly * Unconditionally save buildlog Bugfixes: * Rework how external system files are installed * Include extra data in manifest as well * Fix image creation if resolv.conf is a symlink Version 0.4.2 ~~~~~~~~~~~~~~ Features: * Add "maintain" subcommand to migrate or reset settings & state * Configure APT to not install recommends by default (deb: #987312) * Retry apt updates a few times to protect against bad mirrors * Add tmpfiles.d snippet to manage debspawn's temporary directory * Allow defining custom environment variables for package builds (deb: #986967) * Add maintenance action to update all images Bugfixes: * Interpret EOF as "No" in interactive override question * Implement privileged device access properly * Move images to the right default location * Don't try to bindmound KVM if it doesn't exist * Use dpkg --print-architecture to determine arch (deb: #987547) * run: Mount builddir in initialization step * Don't register any of our nspawn containers by default * Check system encoding properly (deb: #982793) * Atomically and safely copy files into unsafe environments * Run builds as user with a random free UID (deb: #989049) unblock debspawn/0.5.0-1