Hi,

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021336

This kind of bug in "required" package breaks build infrastructure
that uses sid. However, we can prevent it by using piuparts before
it would get into repository, IMHO.

How we can implement it, any ideas?

--
Hideki Yamane <henrich@iijmio-mail.jp>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------y0fZeheVihZsid0Xxn0IrIlR
Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

DQpBbSAwNi4xMC4yMiB1bSAxNzozNCBzY2hyaWViIEhpZGVraSBZYW1hbmU6DQo+IEhpLA0K PiANCj4gICBodHRwczovL2J1Z3MuZGViaWFuLm9yZy9jZ2ktYmluL2J1Z3JlcG9ydC5jZ2k/ YnVnPTEwMjEzMzYNCj4gICANCj4gICBUaGlzIGtpbmQgb2YgYnVnIGluICJyZXF1aXJlZCIg cGFja2FnZSBicmVha3MgYnVpbGQgaW5mcmFzdHJ1Y3R1cmUNCj4gICB0aGF0IHVzZXMgc2lk LiBIb3dldmVyLCB3ZSBjYW4gcHJldmVudCBpdCBieSB1c2luZyBwaXVwYXJ0cyBiZWZvcmUN Cj4gICBpdCB3b3VsZCBnZXQgaW50byByZXBvc2l0b3J5LCBJTUhPLg0KPiAgIA0KPiAgIEhv dyB3ZSBjYW4gaW1wbGVtZW50IGl0LCBhbnkgaWRlYXM/DQo+IA0KDQpJZiB5b3UgYXJlIHVz aW5nIHNhbHNhLCB5b3UgY2FuIHV0aWxpemUgYWxsIHRoZSBmZWF0dXJlcyBnaXRsYWIgDQpw cm92aWRlcy4gRS5nLiBpbiBzcmM6c3lzdGVtZCwgd2UgdXNlDQpodHRwczovL3NhbHNhLmRl Ymlhbi5vcmcvc3lzdGVtZC10ZWFtL3N5c3RlbWQvLS9ibG9iL2RlYmlhbi9tYXN0ZXIvZGVi aWFuL2dpdGxhYi1jaS55bWwNCg0KRm9yIGxhcmdlciBjaGFuZ2VzIHRvIHRoZSBwYWNrYWdl LCB3ZSB1c2UgZ2l0bGFiIE1ScyB3aGljaCB3aWxsIA0KYXV0b21hdGljYWxseSBiZSB0ZXN0 ZWQgYnkgdGhlIENJLg0KSXQncyBhIHdvcmtmbG93IEkgY2FuIG9ubHkgcmVjb21tZW5kLg0K SWYgeW91IGRvbid0IHVzZSBNUnMgYW5kIHNpbXBseSBwdXNoIHlvdXIgY2hhbmdlcywgeW91 IGNhbiBhdCBsZWFzdCANCmVhc2lseSBjaGVjaywgaWYgaXQgcGFzc2VzIHRoZSBjb21wbGV0 ZSBwaXBlbGluZS4NCg0KUmVnYXJkcywNCk1pY2hhZWwNCg==

--------------y0fZeheVihZsid0Xxn0IrIlR--

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEECbOsLssWnJBDRcxUauHfDWCPItwFAmM++AIFAwAAAAAACgkQauHfDWCPItwR EQ//e4s1XcW6FpJE2j2HuqAodUUB2JqdazCM0HdJMXyNsGzUcSvQdGSB0yw9QLTWVXmLiDMhrgmw uQQGz98nsY3xaaYJKsE1eAYtQ4nBTt2qzvk6IM9idGOLRWfRgZLvx+Nx20t0vdEUyG5Noj8P4A9G ka7xyc5mpuixckYRre8qBWDJKNes3iNgEnAbe3snQjc5beOT4cBv3E4jU5tGlinPTRtpSwe5HeF6 alsxBRpeAir96FdBPIDjcZmTTSR4tfVU+l+H0hW4WBEYKBzUBs0rEANCYBhHqCU90+Q7ioEIYZnf HH8xsVsTOXqsNJpT31UG+N6MxzFsMn1JkVA0Oo9GFIULArEvGmA/KsqaB5nZAXXbDKC/EW3MfY1R JUSeOqKAUBLcnA0IRHc69A2F0UT3hIYtYWakDT9PiGs816wdNPV4vK/FKADBj2Y4pRLyZACsygHW vOQFvPZNSw7xEPV0v5xNSW/tpa9poBwsG9YYBbNc+CBdCqROpChDjhApg35N1Cay62Pgqj/odURO 4ZtsGGf2lXDCHTpkMsPrIEA9LIouyThyUG7OK6Yjoh+msCUiT+TxTTtK2Xo8iqXf5eY493RJSGjz jTLVxuh3GwAY5qcl3eTYMp7AkEw906sIDWKQyucS/dIVvUlV7JU6QSFjiOKB5956cdaVvpTOMTyw me0=
=kmAr
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------KPRYZl0mSq1zE9jIvWwR6L4C
Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

QW0gMDYuMTAuMjIgdW0gMTc6NDUgc2NocmllYiBNaWNoYWVsIEJpZWJsOg0KPiANCj4gQW0g MDYuMTAuMjIgdW0gMTc6MzQgc2NocmllYiBIaWRla2kgWWFtYW5lOg0KPj4gSGksDQo+Pg0K Pj4gwqAgaHR0cHM6Ly9idWdzLmRlYmlhbi5vcmcvY2dpLWJpbi9idWdyZXBvcnQuY2dpP2J1 Zz0xMDIxMzM2DQo+PiDCoCBUaGlzIGtpbmQgb2YgYnVnIGluICJyZXF1aXJlZCIgcGFja2Fn ZSBicmVha3MgYnVpbGQgaW5mcmFzdHJ1Y3R1cmUNCj4+IMKgIHRoYXQgdXNlcyBzaWQuIEhv d2V2ZXIsIHdlIGNhbiBwcmV2ZW50IGl0IGJ5IHVzaW5nIHBpdXBhcnRzIGJlZm9yZQ0KPj4g wqAgaXQgd291bGQgZ2V0IGludG8gcmVwb3NpdG9yeSwgSU1ITy4NCj4+IMKgIEhvdyB3ZSBj YW4gaW1wbGVtZW50IGl0LCBhbnkgaWRlYXM/DQo+Pg0KPiANCj4gSWYgeW91IGFyZSB1c2lu ZyBzYWxzYSwgeW91IGNhbiB1dGlsaXplIGFsbCB0aGUgZmVhdHVyZXMgZ2l0bGFiIA0KPiBw cm92aWRlcy4gRS5nLiBpbiBzcmM6c3lzdGVtZCwgd2UgdXNlDQo+IGh0dHBzOi8vc2Fsc2Eu ZGViaWFuLm9yZy9zeXN0ZW1kLXRlYW0vc3lzdGVtZC8tL2Jsb2IvZGViaWFuL21hc3Rlci9k ZWJpYW4vZ2l0bGFiLWNpLnltbCANCj4gDQo+IA0KPiBGb3IgbGFyZ2VyIGNoYW5nZXMgdG8g dGhlIHBhY2thZ2UsIHdlIHVzZSBnaXRsYWIgTVJzIHdoaWNoIHdpbGwgDQo+IGF1dG9tYXRp Y2FsbHkgYmUgdGVzdGVkIGJ5IHRoZSBDSS4NCj4gSXQncyBhIHdvcmtmbG93IEkgY2FuIG9u bHkgcmVjb21tZW5kLg0KPiBJZiB5b3UgZG9uJ3QgdXNlIE1ScyBhbmQgc2ltcGx5IHB1c2gg eW91ciBjaGFuZ2VzLCB5b3UgY2FuIGF0IGxlYXN0IA0KPiBlYXNpbHkgY2hlY2ssIGlmIGl0 IHBhc3NlcyB0aGUgY29tcGxldGUgcGlwZWxpbmUuDQoNCkJ0dywgdGhlIGlyb255IGlzIG5v dCBsb3N0IG9uIG1lLCB0aGF0IHdlIGN1cnJlbnRseSBkaXNhYmxlIHNwZWNpZmljYWxseSAN CnBpdXBhcnRzIGJlY2F1c2Ugb2YgWzFdIHdoZW4geW91ciBxdWVzdGlvbiB3YXMgaG93IHRv IHJ1biBwaXVwYXJ0cy4NCg0KSSdtIHN1cmUgWzFdIHdpbGwgYmUgZml4ZWQgZXZlbnR1YWxs eSBhbmQgdXNpbmcgc2Fsc2EtY2kgaXMgc3RpbGwgDQpzb21ldGhpbmcgSSBjYW4gb25seSBy ZWNvbW1lbmQgd2hvbGVoZWFydGVkbHkuDQoNCk1pY2hhZWwNCg0KWzFdIGh0dHBzOi8vYnVn cy5kZWJpYW4ub3JnL2NnaS1iaW4vYnVncmVwb3J0LmNnaT9idWc9MTAxMTY0OQ0K

--------------KPRYZl0mSq1zE9jIvWwR6L4C--

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEECbOsLssWnJBDRcxUauHfDWCPItwFAmM+/BcFAwAAAAAACgkQauHfDWCPItxo eg//Xmvivd02qojaJq2dcTvC7IMrvnW80iAoRKCLm2pAyKS9zIBaTrDPk0zO1LjhpXy6WSC/8zQ/ Pg76QSgU/8sF/o1LA4bLrO7VcDmHqHK5PBxuc6W3uFdz7Ws0tO/vX6Ssltnm0Nhh6c1GM0NyI6vm mQdxX3PmurSwQnSP3Pmt5nP35ROTwp/d3QeXusJSfwAB0rKmH4XT1BGqNGDCqp3qx0zM4+V+mpBB LcalGRzPJ+/5qKApWEY1GS2kd1OuzSJ6d8mN8PL/yec+2UlsS1BcH+LkFogGJOhWyFVHdR85fc7g RUzOWT7p5DQPYwzOvduAzqa0v6mHO/4XD6XVo6yerui3TblaWe4ji5DWzaLA1LfK6CesqBSbTOdz fAi7m7rK2I3COxvT4hjLLWPm8l13cHd0FeEQ1/uWEJ3NcZarVpiBx3y7DkONWK9mY+BBgAXYlL+P TqFaFM0/0Q7Dr91HUEy7ajP0E9W0zskkRYvAYQtbt7U8S9d4XJqri1lU5wwZAbS2MmtKGily171q CVtQPWjLfmI8ByyltCnT6Ajev0Khioe/DIijSpUoN8BQzectMCk1h5fAyzZthLe9YuRT7YeKwnk/ DyzObVdKJXnRIWU4FuCaj6WPHtuylYKhWuRjW4YgTrZ+BgQgcdrhhhHlQ8ujQdH1jGsWMTzJYA7a SOY=
=0q50
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Michael,

On Thu, 6 Oct 2022 17:45:06 +0200
Michael Biebl <biebl@debian.org> wrote:

If you are using salsa, you can utilize all the features gitlab
provides. E.g. in src:systemd, we use https://salsa.debian.org/systemd-team/systemd/-/blob/debian/master/debian/gitlab-ci.yml

Yes, I'm using salsa-ci pipeline and quite happy with that :)

However, it is just a workflow and best practice, not the infrastructure
that all of us should use for releasing packages, and you know we are
all human so sometimes make mistakes.

I think if we can integrate piuparts infra for releasing packages,
we can avoid this kind of disaster and make sid users much happy, IMHO.

dput -> queue -> build -> "piuparts test pass" -> repo


Is there any blocker to implement such thing?


--
Hideki Yamane <henrich@iijmio-mail.jp>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

Quoting Hideki Yamane (2022-10-07 03:39:39)

On Thu, 6 Oct 2022 17:45:06 +0200 Michael Biebl <biebl@debian.org> wrote:

If you are using salsa, you can utilize all the features gitlab
provides. E.g. in src:systemd, we use https://salsa.debian.org/systemd-team/systemd/-/blob/debian/master/debian/gitlab-ci.yml

Yes, I'm using salsa-ci pipeline and quite happy with that :)

However, it is just a workflow and best practice, not the infrastructure
that all of us should use for releasing packages, and you know we are
all human so sometimes make mistakes.

I think if we can integrate piuparts infra for releasing packages,
we can avoid this kind of disaster and make sid users much happy, IMHO.

dput -> queue -> build -> "piuparts test pass" -> repo

Is there any blocker to implement such thing?

it would be really cool to have a suite only containing packages that had their piuparts and autopkgtests pass. Oh wait, we already have that and it's called "testing". Why was #1021336 a problem? Because (for good reasons) many places use the "unstable" suite. These places (including the build infrastructure) use "unstable" instead of "testing" for good reasons. If you introduce yet another suite before packages land in unstable, then these places would likely want to use that suite instead, because they need to consume the most up-to-date packages. At which point you are back where you started. So shifting the problem to another suite doesn't help you at all because those pieces of our machinery that want to consume the most up-to-date packages will then use that suite and then still be affected by the problems you wanted to protect them from.

So no, I do not think this makes sense. If some software is fine with older, but tested packages, then these software pieces can use "testing" today. Others have to live with the fact that the newest software is "unstable" for a reason.

I think the right way to fix this is to find most of these problems that can be found by a machine before the upload happens. This can happen on the developer's machine but as our distro grows and we are testing more and more things (lintian, upgrades, arch:any builds, arch:all builds, reproducibility, cross building...) I do not think we can expect every developer to run all the tests locally for all packages they maintain. This is why I think using the salsa CI pipelines are a great solution to situations like this.

In the spirit of this, i filed https://salsa.debian.org/vorlon/pam/-/merge_requests/14

Thanks!

cheers, josch
--==============‘07415420381968164=MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Description: signature
Content-Type: application/pgp-signature; name="signature.asc"; charset="us-ascii"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEElFhU6KL81LF4wVq58sulx4+9g+EFAmM/8pUACgkQ8sulx4+9 g+GHJQ//bdBkHZI5rAoH1ArRh7bPJoL/HB9GbCUSkYmsDWBTgLO2rHJnGL2jr81M geLl8rmPsUZSm3Uom8b/aR1noGk84wvhTe1N0g61D66GRfvUI/x2olWDH7kVqU7y RXx2/qe7fU9dr+lTgE8XTitPrQTeWq82U/R6g4e271eeQ1RarKl3kTBnc6YiTqOM hbwB7bSO1lxPcQOH6XVdYyy9yMJo2VFJ9mVZC49IygfCd6OdtsFojiffS9VMJ39d ijlIKSfgjZ72z1rtltx34r5BewDtoydlGtZ5F5ItTyfLX0lUhU88Qh5haK2gwTv/ kXTOd1s4IGNWzgPi/oEc2sAKe7ZeCpi/ziO3I8PB7WwuNGmw0de5H6h58NsQ7SFq VjOY+GvAOooINtAmnhhAouXvV6hI463O3saqJPX/QV4TzQg2pJBajyPrdAK+Z4oV akzMy3i12FWccbgFJ0M6xf1yr2OfPiajSiMHE2fPXJUlM5Eavp+wlletUYJqCQtq 3HyeB5s4Ycw2Je0NU/kF7NDsQhmImJpzexYdxFkNTN2AIkQ//5WLN06Wm7y8G1Go Sjb2E2dp0n/JZkxq5NPS+gIvTw0+Rwf+ROrGV3FI3O9DOU0+/dCMRJyo65OqslOW Q45W4GbNcG3DeGKuTXsrfBJmA3NRI90cjvC+dTU0t7U+nfv/PKw=
=LjfX
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)