Re: Restoring debhelper dh5 compat for the LTS?
On Wed, Mar 23, 2022 at 03:34:24PM +0100, Sebastien Bacher wrote:
> Those issues are easy to fix but I would prefer us to focus on spending our
> effort on more user impacting problems so I'm suggesting we revert the
> change for the LTS.
>
> How do other feel like about that?
Thanks for raising this issue, Sebastien.
This change presents a problem for the security team's maintenance
activities: in order to fix future issues we would first need to upgrade
the packaging so it can build at all.
I made a survey of my local mirror and found 303 packages in jammy
have debian/compat files with "5" or "6". Not all will require security
support, of course, but it's hard to know what the ratio will be. (If
I've juggled my shell pipelines correctly, around 17 of these have had
around 65 CVEs.)
Can we please sync this change in May?
Thanks
$ awk -F/ '$2 ~ "srv" {printf "%-12s %-36s %s\n", $6, $8, $9;}' <
/tmp/compat-5-6
main acpi-support acpi-support_0.143build1.dsc
main checksecurity
checksecurity_2.0.16+nmu1ubuntu1.dsc
main cdrkit cdrkit_1.1.11-3.2build1.dsc
main gnu-standards
gnu-standards_2010.03.11-1.1.dsc
main libogg libogg_1.3.5-0ubuntu1.dsc
main ltrace ltrace_0.7.3-6.1ubuntu3.dsc
main mawk mawk_1.3.4.20200120-3.dsc
main pkcs11-helperpkcs11-helper_1.28-1.dsc
main raptor2 raptor2_2.0.15-0ubuntu3.dsc
main rasqal rasqal_0.9.33-0.2.dsc
main redland redland_1.0.17-1.1ubuntu2.dsc
main update-motd update-motd_3.9.dsc
main wireless-regdb
wireless-regdb_2021.08.28-0ubuntu1.dsc
main x-kitx-kit_0.5.0ubuntu4.dsc
main xbitmaps xbitmaps_1.1.1-2.1.dsc
main xfonts-scalable xfonts-scalable_1.0.3-1.2.dsc
main xfonts-encodings
xfonts-encodings_1.0.5-0ubuntu1.dsc
universe aa3d aa3d_1.0-8build1.dsc
universe add-apt-key add-apt-key_1.0-0.5.dsc
universe alac-decoder
alac-decoder_0.2.0-0ubuntu2.dsc
universe anagramarama anagramarama_0.3-0ubuntu6.dsc
universe apsfilterapsfilter_7.2.6-2.dsc
universe aspell-idaspell-id_1.2-0-0ubuntu1.dsc
universe asql asql_1.6-1.1.dsc
universe asterisk-prompt-fr-armelle
asterisk-prompt-fr-armelle_20070613-2.1.dsc
universe asterisk-prompt-fr-proformatique
asterisk-prompt-fr-proformatique_20070706-1.4-2.1.dsc
universe audio-convert
audio-convert_0.3.1.1-0ubuntu6.dsc
universe balloontip
balloontip_2008.11.14-0ubuntu2.dsc
universe barada-pam barada-pam_0.5-3.1build13.dsc
universe bf bf_20041219ubuntu7.dsc
universe biabam biabam_0.9.7-7.2.dsc
universe binutils-msp430
binutils-msp430_2.22~msp20120406-5.1.dsc
universe bot-sentry bot-sentry_1.3.0-0ubuntu1.dsc
universe bplaybplay_0.991-10build1.dsc
universe brother-lpr-drivers-mfc9420cn
brother-lpr-drivers-mfc9420cn_1.0.0-3-0ubuntu4.dsc
universe breathe-icon-theme breathe-icon-theme_0.51.2.dsc
universe bve-train-br-class-323-3dcab
bve-train-br-class-323-3dcab_20100711-0ubuntu2.dsc
universe byacc-j byacc-j_1.15-1build3.dsc
universe bve-train-br-class-323
bve-train-br-class-323_4.0.1809-0ubuntu3.dsc
universe cadaver cadaver_0.23.3-2.1build1.dsc
universe cappuccino cappuccino_0.5.1-9.1.dsc
universe cdi2iso cdi2iso_0.1-0ubuntu3.dsc
universe choosewm choosewm_0.1.6-3build1.dsc
universe chrootuidchrootuid_1.3-6build1.dsc
universe cifercifer_1.2.0-0ubuntu5.dsc
universe chise-base chise-base_0.3.0-2.1.dsc
universe cimg cimg_2.9.4+dfsg-3.dsc
universe clamassassin clamassassin_1.2.4-1.1.dsc
universe classmate-artworkclassmate-artwork_0.2-1.dsc
universe cli-common cli-common_0.10.dsc
universe clif clif_0.93-9.1build2.dsc
Re: Restoring debhelper dh5 compat for the LTS?
Hey Steve, Thanks for the reply. Le 23/03/2022 à 20:16, Steve Langasek a écrit : - Any package using compat level 5 does not, for example, get automatic support for default build flags from dpkg-buildflags. This means any binaries built with compat level 5 should be considered insecure and dangerous in their own right at this point, due to the lack of compiler security flags. I agree it's an issue but I don't find the position we have coherent so far. It seems also bogus to me that we hadn't been actively engaged or communicating about the issue if we believe it's of the higher importance. Should we start reporting rls-...-incoming bugs for package built with dh5 in every supported Ubuntu series? That would seems proportionate step in regard of what you and Dimitri seems to consider the severity of the issue? - The merge of the debhelper version from Debian that included this change (which was decided upstream) happened on February 14. This was well before Feature Freeze on February 24. While in an ideal world someone making this change would have communicated proactively to the Ubuntu developers that it was coming and what impact it would have had, the lack of such communication does not, in my view, invalidate the decision to do the merge from Debian. I didn't mean to imply that the merge was technically wrong or not respect our processes. Still it is late, has an non trivial impact on our workload and seemed a change the we got by luck rather than being actively seeking to bring it so I felt it was fair to asking the question of whether we wanted to consider reverting. It's especially suboptimal than we basically stopped syncing from Debian around the time we included the change that made packages stop to build, which means we aren't autoimporting the fixes for those issues. From my perspective, it is the responsibility of teams to factor time post-FF for the fixing of build failures into their capacity planning, and furthermore, the impact of this *particular* change on archive buildability should be rather small. I see no reason to revert the change in question. Speaking for desktop I'm not worried about being able to fix the build of the packages in our set, I simply believe it would benefit our users more if we were focusing on fixing rls targeted and user visible problems at this point of the cycle. I'm also thinking about the impact it will have on universe and the number of ftbfsing package we will have in the archive for the LTS. Cheers, Sebastien Bacher -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Restoring debhelper dh5 compat for the LTS?
On Wed, Mar 23, 2022 at 03:08:37PM +, Dimitri John Ledkov wrote: > As part of the release process we perform archive wide rebuilds, and > fix all FTBFS for the release across the full archive. We can't > release Ubuntu without fixing those. This is false, for the record. No Ubuntu release in recent memory has had the build failure count across the full archive reduced to zero at time of release. The target is that we have the list of known build failures at zero for main at release time; having it at zero for the full archive would require a much more drastic policy regarding removals. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: PGP signature -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Restoring debhelper dh5 compat for the LTS?
On Wed, Mar 23, 2022 at 06:50:26PM +, Robie Basak wrote: > On Wed, Mar 23, 2022 at 02:58:27PM +, Dimitri John Ledkov wrote: > > Please don't. There are many bugs in older compat level that may produce > > debs no longer compatible with our OS. Especially around generated > > maintainer scripts. > > It's best to upgrade packaging to compat level 13. Sounds like a long > > overdue packaging upkeep. > I understand the principle here, but it seems very late in our cycle to > be suddenly finding ourselves with the task of doing this for the entire > archive. What changed that suddenly makes this urgent for _this_ cycle > in particular, apart from that someone noticed? Some facts: - debhelper 7, which superseded compat level 5, is 12 years old. Any package in the archive that is still using debhelper compat level 5 has SERIOUSLY unmaintained packaging. (I'm pretty sure, for instance, that lintian has had warnings about this for a while; so at minimum, a responsible maintainer looking at the output of lintian before uploading should have picked up on this issue well before now.) - Any package using compat level 5 does not, for example, get automatic support for default build flags from dpkg-buildflags. This means any binaries built with compat level 5 should be considered insecure and dangerous in their own right at this point, due to the lack of compiler security flags. - The merge of the debhelper version from Debian that included this change (which was decided upstream) happened on February 14. This was well before Feature Freeze on February 24. While in an ideal world someone making this change would have communicated proactively to the Ubuntu developers that it was coming and what impact it would have had, the lack of such communication does not, in my view, invalidate the decision to do the merge from Debian. > I don't have a strong view on the technicalities here, but socially it > seems pretty harsh to suddenly impose this on development teams who are > already busy due to what amounts to an accident of timing for general, > tech-debt type improvements rather than something that directly impacts > user experience. It'd be nice to see a compelling reason to push for > more late notice work that doesn't rely on the word "may". From my perspective, it is the responsibility of teams to factor time post-FF for the fixing of build failures into their capacity planning, and furthermore, the impact of this *particular* change on archive buildability should be rather small. I see no reason to revert the change in question. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: PGP signature -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Restoring debhelper dh5 compat for the LTS?
On Wed, 23 Mar 2022 at 18:50, Robie Basak wrote: > > On Wed, Mar 23, 2022 at 02:58:27PM +, Dimitri John Ledkov wrote: > > Please don't. There are many bugs in older compat level that may produce > > debs no longer compatible with our OS. Especially around generated > > maintainer scripts. > > > > It's best to upgrade packaging to compat level 13. Sounds like a long > > overdue packaging upkeep. > > I understand the principle here, but it seems very late in our cycle to > be suddenly finding ourselves with the task of doing this for the entire > archive. What changed that suddenly makes this urgent for _this_ cycle > in particular, apart from that someone noticed? > > I don't have a strong view on the technicalities here, but socially it > seems pretty harsh to suddenly impose this on development teams who are > already busy due to what amounts to an accident of timing for general, > tech-debt type improvements rather than something that directly impacts > user experience. It'd be nice to see a compelling reason to push for > more late notice work that doesn't rely on the word "may". > I didn't mean to enforce or request an upgrade to 13. I wanted to ensure it is known that re-introducing support in debhelper for compats 5 & 6 is very risky, and potentially buggy and is not something we can or should attempt to do. Upgrading packaging from compat 5 to 7 should be fairly minimal, even if upgrading to 13 would be best. Especially since compat level 7 has been available for more than 14 years now. I am now deeply worried that we have packages in the archive that didn't get packaging updates for 14 years now. Regards, Dimitri. -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Restoring debhelper dh5 compat for the LTS?
On Wed, Mar 23, 2022 at 02:58:27PM +, Dimitri John Ledkov wrote: > Please don't. There are many bugs in older compat level that may produce > debs no longer compatible with our OS. Especially around generated > maintainer scripts. > > It's best to upgrade packaging to compat level 13. Sounds like a long > overdue packaging upkeep. I understand the principle here, but it seems very late in our cycle to be suddenly finding ourselves with the task of doing this for the entire archive. What changed that suddenly makes this urgent for _this_ cycle in particular, apart from that someone noticed? I don't have a strong view on the technicalities here, but socially it seems pretty harsh to suddenly impose this on development teams who are already busy due to what amounts to an accident of timing for general, tech-debt type improvements rather than something that directly impacts user experience. It'd be nice to see a compelling reason to push for more late notice work that doesn't rely on the word "may". Robie signature.asc Description: PGP signature -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Restoring debhelper dh5 compat for the LTS?
Le 23/03/2022 à 16:08, Dimitri John Ledkov a écrit : Thus yes, there is an explicit mandate, especially for the universe, to be buildable. It can be resolved by fixing & upgrading packaging, or via removal of those packages from the archive. These packages are likely to be ubuntu-specific and/or niche leaf packages, not present in Debian. I'm fine with that but it's a last minute change which created the issue just before the LTS (if the change had landed a few weeks later we would talk about it and I don't think we could argue that the LTS would be lesser quality as a result. and is adding a bunch of extra work now. I'm asking for us to delay that problem to the start of next cycle to allow us to focus our limited resources on fixes that are actually visible to our users and having a negative impact on our product. I understand your opinion Dimitri and I think you stated it clearly, no offense but I would like to also hear from other teams and from the release team on the topic. Cheers, Sebastien -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Restoring debhelper dh5 compat for the LTS?
On Wed, 23 Mar 2022 at 15:02, Sebastien Bacher wrote: > > Le 23/03/2022 à 15:58, Dimitri John Ledkov a écrit : > > It's best to upgrade packaging to compat level 13. Sounds like a long > > overdue packaging upkeep. > > Yes it's better, but it requires work, do we have the resources to deal > with those, especially for universe? > > Also you claim it produces buggy debs but do we have any report of such > problems or any way to grep the archive to figure out special cases we > know about that would give a non working binary? > See bug reports against debhelper, reverts, and ultimate removal of support for old compat levels. Existing binaries built with old debhelper are fine. Building binaries using latest debhelper but old compat levels are risky and produce buggy binaries, which are hard to track down. Debhelper upstream tried to keep working and improving new compat levels, whilst maintaining support for old ones, and eventually ran into the wall of not being able to reliable maintain that. As part of the release process we perform archive wide rebuilds, and fix all FTBFS for the release across the full archive. We can't release Ubuntu without fixing those. Thus yes, there is an explicit mandate, especially for the universe, to be buildable. It can be resolved by fixing & upgrading packaging, or via removal of those packages from the archive. These packages are likely to be ubuntu-specific and/or niche leaf packages, not present in Debian. Regards, Dimitri. -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Restoring debhelper dh5 compat for the LTS?
Le 23/03/2022 à 15:58, Dimitri John Ledkov a écrit : It's best to upgrade packaging to compat level 13. Sounds like a long overdue packaging upkeep. Yes it's better, but it requires work, do we have the resources to deal with those, especially for universe? Also you claim it produces buggy debs but do we have any report of such problems or any way to grep the archive to figure out special cases we know about that would give a non working binary? Cheers, Sebastien -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Restoring debhelper dh5 compat for the LTS?
Please don't. There are many bugs in older compat level that may produce debs no longer compatible with our OS. Especially around generated maintainer scripts. It's best to upgrade packaging to compat level 13. Sounds like a long overdue packaging upkeep. On Wed, 23 Mar 2022, 14:34 Sebastien Bacher, wrote: > Hey there, > > Checking the desktop section of the ongoing archive rebuild we have a > bunch of ftbfs due > > > dh: error: Compatibility levels before 7 are no longer supported > (level 5 requested) > > That's because the newest debhelper upload removed compatibility for > level 5 and 6 > https://salsa.debian.org/debian/debhelper/-/commit/a80ba4f797 > > Those issues are easy to fix but I would prefer us to focus on spending > our effort on more user impacting problems so I'm suggesting we revert > the change for the LTS. > > How do other feel like about that? > > Cheers, > Sebastien Bacher > > > -- > ubuntu-devel mailing list > ubuntu-devel@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel > -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
