944707">

Debian Bug report logs - #944707
lintian: check for missing and unsigned .buildinfo files

version graph

Package: lintian; Maintainer for lintian is Debian Lintian Maintainers <lintian-maint@debian.org>; Source for lintian is src:lintian (PTS, buildd, popcon).

Reported by: Vagrant Cascadian <vagrant@reproducible-builds.org>

Date: Thu, 14 Nov 2019 06:57:02 UTC

Severity: wishlist

Tags: moreinfo

Found in version lintian/2.33.0

Reply or subscribe to this bug.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, vagrant@reproducible-builds.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#944707; Package lintian. (Thu, 14 Nov 2019 06:57:03 GMT) (full text, mbox, link).


Acknowledgement sent to Vagrant Cascadian <vagrant@reproducible-builds.org>:
New Bug report received and forwarded. Copy sent to vagrant@reproducible-builds.org, Debian Lintian Maintainers <lintian-maint@debian.org>. (Thu, 14 Nov 2019 06:57:03 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@reproducible-builds.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: lintian: check for missing and unsigned .buildinfo files
Date: Wed, 13 Nov 2019 22:52:03 -0800
[Message part 1 (text/plain, inline)]
Package: lintian
Version: 2.33.0
Severity: wishlist

It would be nice if lintian checked for the presence of a .buildinfo
file when processing a .changes file.

For a stretch goal, it would be nice if it also checked if the
.buildinfo file was signed. :)

live well,
  vagrant
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#944707; Package lintian. (Thu, 14 Nov 2019 07:18:02 GMT) (full text, mbox, link).


Acknowledgement sent to "Chris Lamb" <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Thu, 14 Nov 2019 07:18:03 GMT) (full text, mbox, link).


Message #10 received at 944707@bugs.debian.org (full text, mbox, wrote: > tags 944707 + moreinfo > thanks > > Hi Vagrant, > > > It would be nice if lintian checked for the presence of a .buildinfo > > file when processing a .changes file. > > I'm obviously sold on the idea of .buildinfo files but what error or > mistake might such a missing file imply on behalf of the developer? > > > Regards, > > -- > ,''`. > : :' : Chris Lamb > `. `'` lamby@debian.org 🍥 chris-lamb.co.uk > `- > > &In-Reply-To=&subject=Re: =?UTF-8?Q?Re:_Bug#944707:_lintian:_check_for_missing_and_unsigned_.build?= =?UTF-8?Q?info_files?=&References=<87pnhvuezw.fsf@ponder> ">reply):

From: "Chris Lamb" <lamby@debian.org>
To: "Vagrant Cascadian" <vagrant@reproducible-builds.org>, "Debian Bug Tracking System" <944707@bugs.debian.org>
Subject: Re: Bug#944707: lintian: check for missing and unsigned .buildinfo files
Date: Thu, 14 Nov 2019 08:14:24 +0100
tags 944707 + moreinfo
thanks

Hi Vagrant,

> It would be nice if lintian checked for the presence of a .buildinfo
> file when processing a .changes file.

I'm obviously sold on the idea of .buildinfo files but what error or
mistake might such a missing file imply on behalf of the developer?


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-



Added tag(s) moreinfo. Request was from "Chris Lamb" <lamby@debian.org> to control@bugs.debian.org. (Thu, 14 Nov 2019 07:18:04 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#944707; Package lintian. (Thu, 14 Nov 2019 07:39:02 GMT) (full text, mbox, link).


Acknowledgement sent to Vagrant Cascadian <vagrant@reproducible-builds.org>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Thu, 14 Nov 2019 07:39:03 GMT) (full text, mbox, link).


Message #17 received at 944707@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@reproducible-builds.org>
To: Chris Lamb <lamby@debian.org>, Debian Bug Tracking System <944707@bugs.debian.org>
Subject: Re: Bug#944707: lintian: check for missing and unsigned .buildinfo files
Date: Wed, 13 Nov 2019 23:36:37 -0800
[Message part 1 (text/plain, inline)]
On 2019-11-14, Chris Lamb wrote:
>> It would be nice if lintian checked for the presence of a .buildinfo
>> file when processing a .changes file.
>
> I'm obviously sold on the idea of .buildinfo files but what error or
> mistake might such a missing file imply on behalf of the developer?

I'm not sure it's a mistake, per se, but suggests that they're using
very old tooling to build packages, or home-grown tooling, both of which
might have various bugs... but that seems a weak argument to me.

My goal in filing this bug is to gently nudge developers to include
developer built .buildinfo files, and ideally sign them as well, which
increases the number of .buildinfo files we are able to use to verify a
given build.

It is in Debian policy that packages *should* be reproducible, and
.buildinfo files are a cruicial element to be able to demonstrate and
verify that packages are reproducible.

Ideally with a source-only upload, every build would have at least one
.buildinfo from the build daemon and one .buildinfo from the developer
who submitted the source package and at least two potential points of
convergence.

I would think something at the info or pedantic level would be most
appropriate at this point in time, if deemed appropriate at all...

All of which you're probably well aware, but at least this is forcing me
to think it out more verbosely...

Maybe lintian isn't the right place for this (yet), but happy to have
started and to continue the conversation.


live well,
  vagrant
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#944707; Package lintian. (Fri, 15 Nov 2019 22:21:02 GMT) (full text, mbox, link).


Acknowledgement sent to "Chris Lamb" <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Fri, 15 Nov 2019 22:21:02 GMT) (full text, mbox, link).


Message #22 received at 944707@bugs.debian.org (full text, mbox, wrote: > Dear Vagrant, > > > Maybe lintian isn't the right place for this (yet), but happy to have > > started and to continue the conversation. > > Agreed and just to underline again I am — of course — very much +1 > on the case for .buildinfo files, but I would likely agree with you that > Lintian is not the best place for this, at least right now. > > For starters, if Lintian complained about unsigned .buildinfo files it > would seem sensible to warn about unsigned .changes "first", unless we > wanted to specifically check the rather niche-sounding case of a > signed .changes but an unsigned .buildinfo; technically possible with > the right arguments to dpkg-buildpackage, but it feels a bit unlikely. > > (Practically-speaking, if a user/workflow was using very old tooling > it is unlikely they would be using a [future] version of Lintian that > would have this check too. And does lintian.debian.org even have > access to buildinfo files...? These are lesser and somewhat > rhethorical questions that do not really need an answer.) > > Anyway, thanksindeed for starting this conversation in terms of > finding ways of getting more .buildinfo files into the archive. :) > > > Best wishes, > > -- > ,''`. > : :' : Chris Lamb > `. `'` lamby@debian.org 🍥 chris-lamb.co.uk > `- > > &subject=Re: =?UTF-8?Q?Re:_Bug#944707:_lintian:_check_for_missing_and_unsigned_.build?= =?UTF-8?Q?info_files?=">reply):

From: "Chris Lamb" <lamby@debian.org>
To: "Vagrant Cascadian" <vagrant@reproducible-builds.org>, "Debian Bug Tracking System" <944707@bugs.debian.org>
Subject: Re: Bug#944707: lintian: check for missing and unsigned .buildinfo files
Date: Fri, 15 Nov 2019 22:17:04 -0000
Dear Vagrant,

> Maybe lintian isn't the right place for this (yet), but happy to have
> started and to continue the conversation.

Agreed and just to underline again I am — of course — very much +1
on the case for .buildinfo files, but I would likely agree with you that
Lintian is not the best place for this, at least right now.

For starters, if Lintian complained about unsigned .buildinfo files it
would seem sensible to warn about unsigned .changes "first", unless we
wanted to specifically check the rather niche-sounding case of a
signed .changes but an unsigned .buildinfo; technically possible with
the right arguments to dpkg-buildpackage, but it feels a bit unlikely.

(Practically-speaking, if a user/workflow was using very old tooling
it is unlikely they would be using a [future] version of Lintian that
would have this check too. And does lintian.debian.org even have
access to buildinfo files...? These are lesser and somewhat
rhethorical questions that do not really need an answer.)

Anyway, thanksindeed for starting this conversation in terms of
finding ways of getting more .buildinfo files into the archive. :)


Best wishes,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#944707; Package lintian. (Fri, 15 Nov 2019 22:21:04 GMT) (full text, mbox, link).


Acknowledgement sent to "Chris Lamb" <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Fri, 15 Nov 2019 22:21:04 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#944707; Package lintian. (Sat, 20 Mar 2021 08:33:03 GMT) (full text, mbox, link).


Acknowledgement sent to Adrian Bunk <bunk@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Sat, 20 Mar 2021 08:33:03 GMT) (full text, mbox, link).


Message #32 received at 944707@bugs.debian.org (full text, mbox, >... > > The logical logical order is that lintian runs before signing, > signing potentially broken packages feels wrong. > > dput already rejects unswigned changes, and this is the right place for > the check. > > cu > Adrian > > &subject=Re: Bug#944707: lintian: check for missing and unsigned .buildinfo files">reply):

From: Adrian Bunk <bunk@debian.org>
To: Chris Lamb <lamby@debian.org>, 944707@bugs.debian.org
Cc: Vagrant Cascadian <vagrant@reproducible-builds.org>
Subject: Re: Bug#944707: lintian: check for missing and unsigned .buildinfo files
Date: Sat, 20 Mar 2021 10:31:11 +0200
On Fri, Nov 15, 2019 at 10:17:04PM -0000, Chris Lamb wrote:
>...
> For starters, if Lintian complained about unsigned .buildinfo files it
> would seem sensible to warn about unsigned .changes "first",
>...

The logical logical order is that lintian runs before signing,
signing potentially broken packages feels wrong.

dput already rejects unswigned changes, and this is the right place for
the check.

cu
Adrian



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#944707; Package lintian. (Sat, 20 Mar 2021 10:03:02 GMT) (full text, mbox, link).


Acknowledgement sent to Adrian Bunk <bunk@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Sat, 20 Mar 2021 10:03:02 GMT) (full text, mbox, link).


Message #37 received at 944707@bugs.debian.org (full text, mbox, reply):

From: Adrian Bunk <bunk@debian.org>
To: Vagrant Cascadian <vagrant@reproducible-builds.org>, 944707@bugs.debian.org
Cc: Chris Lamb <lamby@debian.org>
Subject: Re: Bug#944707: lintian: check for missing and unsigned .buildinfo files
Date: Sat, 20 Mar 2021 11:58:25 +0200
On Wed, Nov 13, 2019 at 11:36:37PM -0800, Vagrant Cascadian wrote:
> On 2019-11-14, Chris Lamb wrote:
> >> It would be nice if lintian checked for the presence of a .buildinfo
> >> file when processing a .changes file.
> >
> > I'm obviously sold on the idea of .buildinfo files but what error or
> > mistake might such a missing file imply on behalf of the developer?
> 
> I'm not sure it's a mistake, per se, but suggests that they're using
> very old tooling to build packages, or home-grown tooling, both of which
> might have various bugs...
>...

Or passing the --buildinfo-option=-O/tmp/dpkgisstupid option to 
dpkg-buildpackage because buildinfo files don't make sense for 
source-only uploads.

cu
Adrian



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Feb 3 06:41:39 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.