Re: Restoring debhelper dh5 compat for the LTS?
On Wed, Mar 23, 2022 at 03:34:24PM +0100, Sebastien Bacher wrote: > Those issues are easy to fix but I would prefer us to focus on spending our > effort on more user impacting problems so I'm suggesting we revert the > change for the LTS. > > How do other feel like about that? Thanks for raising this issue, Sebastien. This change presents a problem for the security team's maintenance activities: in order to fix future issues we would first need to upgrade the packaging so it can build at all. I made a survey of my local mirror and found 303 packages in jammy have debian/compat files with "5" or "6". Not all will require security support, of course, but it's hard to know what the ratio will be. (If I've juggled my shell pipelines correctly, around 17 of these have had around 65 CVEs.) Can we please sync this change in May? Thanks $ awk -F/ '$2 ~ "srv" {printf "%-12s %-36s %s\n", $6, $8, $9;}' < /tmp/compat-5-6 main acpi-support acpi-support_0.143build1.dsc main checksecurity checksecurity_2.0.16+nmu1ubuntu1.dsc main cdrkit cdrkit_1.1.11-3.2build1.dsc main gnu-standards gnu-standards_2010.03.11-1.1.dsc main libogg libogg_1.3.5-0ubuntu1.dsc main ltrace ltrace_0.7.3-6.1ubuntu3.dsc main mawk mawk_1.3.4.20200120-3.dsc main pkcs11-helperpkcs11-helper_1.28-1.dsc main raptor2 raptor2_2.0.15-0ubuntu3.dsc main rasqal rasqal_0.9.33-0.2.dsc main redland redland_1.0.17-1.1ubuntu2.dsc main update-motd update-motd_3.9.dsc main wireless-regdb wireless-regdb_2021.08.28-0ubuntu1.dsc main x-kitx-kit_0.5.0ubuntu4.dsc main xbitmaps xbitmaps_1.1.1-2.1.dsc main xfonts-scalable xfonts-scalable_1.0.3-1.2.dsc main xfonts-encodings xfonts-encodings_1.0.5-0ubuntu1.dsc universe aa3d aa3d_1.0-8build1.dsc universe add-apt-key add-apt-key_1.0-0.5.dsc universe alac-decoder alac-decoder_0.2.0-0ubuntu2.dsc universe anagramarama anagramarama_0.3-0ubuntu6.dsc universe apsfilterapsfilter_7.2.6-2.dsc universe aspell-idaspell-id_1.2-0-0ubuntu1.dsc universe asql asql_1.6-1.1.dsc universe asterisk-prompt-fr-armelle asterisk-prompt-fr-armelle_20070613-2.1.dsc universe asterisk-prompt-fr-proformatique asterisk-prompt-fr-proformatique_20070706-1.4-2.1.dsc universe audio-convert audio-convert_0.3.1.1-0ubuntu6.dsc universe balloontip balloontip_2008.11.14-0ubuntu2.dsc universe barada-pam barada-pam_0.5-3.1build13.dsc universe bf bf_20041219ubuntu7.dsc universe biabam biabam_0.9.7-7.2.dsc universe binutils-msp430 binutils-msp430_2.22~msp20120406-5.1.dsc universe bot-sentry bot-sentry_1.3.0-0ubuntu1.dsc universe bplaybplay_0.991-10build1.dsc universe brother-lpr-drivers-mfc9420cn brother-lpr-drivers-mfc9420cn_1.0.0-3-0ubuntu4.dsc universe breathe-icon-theme breathe-icon-theme_0.51.2.dsc universe bve-train-br-class-323-3dcab bve-train-br-class-323-3dcab_20100711-0ubuntu2.dsc universe byacc-j byacc-j_1.15-1build3.dsc universe bve-train-br-class-323 bve-train-br-class-323_4.0.1809-0ubuntu3.dsc universe cadaver cadaver_0.23.3-2.1build1.dsc universe cappuccino cappuccino_0.5.1-9.1.dsc universe cdi2iso cdi2iso_0.1-0ubuntu3.dsc universe choosewm choosewm_0.1.6-3build1.dsc universe chrootuidchrootuid_1.3-6build1.dsc universe cifercifer_1.2.0-0ubuntu5.dsc universe chise-base chise-base_0.3.0-2.1.dsc universe cimg cimg_2.9.4+dfsg-3.dsc universe clamassassin clamassassin_1.2.4-1.1.dsc universe classmate-artworkclassmate-artwork_0.2-1.dsc universe cli-common cli-common_0.10.dsc universe clif clif_0.93-9.1build2.dsc
Re: Restoring debhelper dh5 compat for the LTS?
Hey Steve, Thanks for the reply. Le 23/03/2022 à 20:16, Steve Langasek a écrit : - Any package using compat level 5 does not, for example, get automatic support for default build flags from dpkg-buildflags. This means any binaries built with compat level 5 should be considered insecure and dangerous in their own right at this point, due to the lack of compiler security flags. I agree it's an issue but I don't find the position we have coherent so far. It seems also bogus to me that we hadn't been actively engaged or communicating about the issue if we believe it's of the higher importance. Should we start reporting rls-...-incoming bugs for package built with dh5 in every supported Ubuntu series? That would seems proportionate step in regard of what you and Dimitri seems to consider the severity of the issue? - The merge of the debhelper version from Debian that included this change (which was decided upstream) happened on February 14. This was well before Feature Freeze on February 24. While in an ideal world someone making this change would have communicated proactively to the Ubuntu developers that it was coming and what impact it would have had, the lack of such communication does not, in my view, invalidate the decision to do the merge from Debian. I didn't mean to imply that the merge was technically wrong or not respect our processes. Still it is late, has an non trivial impact on our workload and seemed a change the we got by luck rather than being actively seeking to bring it so I felt it was fair to asking the question of whether we wanted to consider reverting. It's especially suboptimal than we basically stopped syncing from Debian around the time we included the change that made packages stop to build, which means we aren't autoimporting the fixes for those issues. From my perspective, it is the responsibility of teams to factor time post-FF for the fixing of build failures into their capacity planning, and furthermore, the impact of this *particular* change on archive buildability should be rather small. I see no reason to revert the change in question. Speaking for desktop I'm not worried about being able to fix the build of the packages in our set, I simply believe it would benefit our users more if we were focusing on fixing rls targeted and user visible problems at this point of the cycle. I'm also thinking about the impact it will have on universe and the number of ftbfsing package we will have in the archive for the LTS. Cheers, Sebastien Bacher -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Restoring debhelper dh5 compat for the LTS?
On Wed, Mar 23, 2022 at 03:08:37PM +, Dimitri John Ledkov wrote: > As part of the release process we perform archive wide rebuilds, and > fix all FTBFS for the release across the full archive. We can't > release Ubuntu without fixing those. This is false, for the record. No Ubuntu release in recent memory has had the build failure count across the full archive reduced to zero at time of release. The target is that we have the list of known build failures at zero for main at release time; having it at zero for the full archive would require a much more drastic policy regarding removals. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: PGP signature -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Restoring debhelper dh5 compat for the LTS?
On Wed, Mar 23, 2022 at 06:50:26PM +, Robie Basak wrote: > On Wed, Mar 23, 2022 at 02:58:27PM +, Dimitri John Ledkov wrote: > > Please don't. There are many bugs in older compat level that may produce > > debs no longer compatible with our OS. Especially around generated > > maintainer scripts. > > It's best to upgrade packaging to compat level 13. Sounds like a long > > overdue packaging upkeep. > I understand the principle here, but it seems very late in our cycle to > be suddenly finding ourselves with the task of doing this for the entire > archive. What changed that suddenly makes this urgent for _this_ cycle > in particular, apart from that someone noticed? Some facts: - debhelper 7, which superseded compat level 5, is 12 years old. Any package in the archive that is still using debhelper compat level 5 has SERIOUSLY unmaintained packaging. (I'm pretty sure, for instance, that lintian has had warnings about this for a while; so at minimum, a responsible maintainer looking at the output of lintian before uploading should have picked up on this issue well before now.) - Any package using compat level 5 does not, for example, get automatic support for default build flags from dpkg-buildflags. This means any binaries built with compat level 5 should be considered insecure and dangerous in their own right at this point, due to the lack of compiler security flags. - The merge of the debhelper version from Debian that included this change (which was decided upstream) happened on February 14. This was well before Feature Freeze on February 24. While in an ideal world someone making this change would have communicated proactively to the Ubuntu developers that it was coming and what impact it would have had, the lack of such communication does not, in my view, invalidate the decision to do the merge from Debian. > I don't have a strong view on the technicalities here, but socially it > seems pretty harsh to suddenly impose this on development teams who are > already busy due to what amounts to an accident of timing for general, > tech-debt type improvements rather than something that directly impacts > user experience. It'd be nice to see a compelling reason to push for > more late notice work that doesn't rely on the word "may". From my perspective, it is the responsibility of teams to factor time post-FF for the fixing of build failures into their capacity planning, and furthermore, the impact of this *particular* change on archive buildability should be rather small. I see no reason to revert the change in question. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: PGP signature -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Restoring debhelper dh5 compat for the LTS?
On Wed, 23 Mar 2022 at 18:50, Robie Basak wrote: > > On Wed, Mar 23, 2022 at 02:58:27PM +, Dimitri John Ledkov wrote: > > Please don't. There are many bugs in older compat level that may produce > > debs no longer compatible with our OS. Especially around generated > > maintainer scripts. > > > > It's best to upgrade packaging to compat level 13. Sounds like a long > > overdue packaging upkeep. > > I understand the principle here, but it seems very late in our cycle to > be suddenly finding ourselves with the task of doing this for the entire > archive. What changed that suddenly makes this urgent for _this_ cycle > in particular, apart from that someone noticed? > > I don't have a strong view on the technicalities here, but socially it > seems pretty harsh to suddenly impose this on development teams who are > already busy due to what amounts to an accident of timing for general, > tech-debt type improvements rather than something that directly impacts > user experience. It'd be nice to see a compelling reason to push for > more late notice work that doesn't rely on the word "may". > I didn't mean to enforce or request an upgrade to 13. I wanted to ensure it is known that re-introducing support in debhelper for compats 5 & 6 is very risky, and potentially buggy and is not something we can or should attempt to do. Upgrading packaging from compat 5 to 7 should be fairly minimal, even if upgrading to 13 would be best. Especially since compat level 7 has been available for more than 14 years now. I am now deeply worried that we have packages in the archive that didn't get packaging updates for 14 years now. Regards, Dimitri. -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Restoring debhelper dh5 compat for the LTS?
On Wed, Mar 23, 2022 at 02:58:27PM +, Dimitri John Ledkov wrote: > Please don't. There are many bugs in older compat level that may produce > debs no longer compatible with our OS. Especially around generated > maintainer scripts. > > It's best to upgrade packaging to compat level 13. Sounds like a long > overdue packaging upkeep. I understand the principle here, but it seems very late in our cycle to be suddenly finding ourselves with the task of doing this for the entire archive. What changed that suddenly makes this urgent for _this_ cycle in particular, apart from that someone noticed? I don't have a strong view on the technicalities here, but socially it seems pretty harsh to suddenly impose this on development teams who are already busy due to what amounts to an accident of timing for general, tech-debt type improvements rather than something that directly impacts user experience. It'd be nice to see a compelling reason to push for more late notice work that doesn't rely on the word "may". Robie signature.asc Description: PGP signature -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Restoring debhelper dh5 compat for the LTS?
Le 23/03/2022 à 16:08, Dimitri John Ledkov a écrit : Thus yes, there is an explicit mandate, especially for the universe, to be buildable. It can be resolved by fixing & upgrading packaging, or via removal of those packages from the archive. These packages are likely to be ubuntu-specific and/or niche leaf packages, not present in Debian. I'm fine with that but it's a last minute change which created the issue just before the LTS (if the change had landed a few weeks later we would talk about it and I don't think we could argue that the LTS would be lesser quality as a result. and is adding a bunch of extra work now. I'm asking for us to delay that problem to the start of next cycle to allow us to focus our limited resources on fixes that are actually visible to our users and having a negative impact on our product. I understand your opinion Dimitri and I think you stated it clearly, no offense but I would like to also hear from other teams and from the release team on the topic. Cheers, Sebastien -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Restoring debhelper dh5 compat for the LTS?
On Wed, 23 Mar 2022 at 15:02, Sebastien Bacher wrote: > > Le 23/03/2022 à 15:58, Dimitri John Ledkov a écrit : > > It's best to upgrade packaging to compat level 13. Sounds like a long > > overdue packaging upkeep. > > Yes it's better, but it requires work, do we have the resources to deal > with those, especially for universe? > > Also you claim it produces buggy debs but do we have any report of such > problems or any way to grep the archive to figure out special cases we > know about that would give a non working binary? > See bug reports against debhelper, reverts, and ultimate removal of support for old compat levels. Existing binaries built with old debhelper are fine. Building binaries using latest debhelper but old compat levels are risky and produce buggy binaries, which are hard to track down. Debhelper upstream tried to keep working and improving new compat levels, whilst maintaining support for old ones, and eventually ran into the wall of not being able to reliable maintain that. As part of the release process we perform archive wide rebuilds, and fix all FTBFS for the release across the full archive. We can't release Ubuntu without fixing those. Thus yes, there is an explicit mandate, especially for the universe, to be buildable. It can be resolved by fixing & upgrading packaging, or via removal of those packages from the archive. These packages are likely to be ubuntu-specific and/or niche leaf packages, not present in Debian. Regards, Dimitri. -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Restoring debhelper dh5 compat for the LTS?
Le 23/03/2022 à 15:58, Dimitri John Ledkov a écrit : It's best to upgrade packaging to compat level 13. Sounds like a long overdue packaging upkeep. Yes it's better, but it requires work, do we have the resources to deal with those, especially for universe? Also you claim it produces buggy debs but do we have any report of such problems or any way to grep the archive to figure out special cases we know about that would give a non working binary? Cheers, Sebastien -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Restoring debhelper dh5 compat for the LTS?
Please don't. There are many bugs in older compat level that may produce debs no longer compatible with our OS. Especially around generated maintainer scripts. It's best to upgrade packaging to compat level 13. Sounds like a long overdue packaging upkeep. On Wed, 23 Mar 2022, 14:34 Sebastien Bacher, wrote: > Hey there, > > Checking the desktop section of the ongoing archive rebuild we have a > bunch of ftbfs due > > > dh: error: Compatibility levels before 7 are no longer supported > (level 5 requested) > > That's because the newest debhelper upload removed compatibility for > level 5 and 6 > https://salsa.debian.org/debian/debhelper/-/commit/a80ba4f797 > > Those issues are easy to fix but I would prefer us to focus on spending > our effort on more user impacting problems so I'm suggesting we revert > the change for the LTS. > > How do other feel like about that? > > Cheers, > Sebastien Bacher > > > -- > ubuntu-devel mailing list > ubuntu-devel@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel > -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel