SRUs and the importance of validating upstream release tarballs

Shengjing Zhu shengjing.zhu at canonical.com
Thu Oct 3 13:51:36 UTC 2024


On Wed, Oct 2, 2024 at 6:02 PM Robie Basak <robie.basak at ubuntu.com> wrote:
>
> If we take a fresh upstream release directly into a stable release
> update, then it seems to me that it's important to validate that the
> orig tarball matches what upstream released, or is otherwise
> reproducible against what upstream released (eg. if it was repacked for
> the usual reasons).
>
> It's not currently a documented hard requirement for SRUs, but I think
> that it should be, or at least be our default position.
>

Why is this only the hard requirement for SRU? IMHO It should be a
hard requirement for all the uploads.

> I've noticed some matter related to this concern a couple of days
> running so I thought it was time to start a thread on this.
>
> When reviewing an SRU that does this, I usually take steps to verify
> this. If it doesn't match (usually due to a repack I cannot reproduce)
> then I query it. This is sometimes quite painful to do as I try to track
> down an upstream source and some way to validate it.
>
> We have tooling to make this easy in the majority of cases, with uscan,
> debian/watch and debian/upstream/signing-key.asc. I usually run `uscan
> --download-current-version`, check that HTTPS or GPG was used, and that
> the resulting tarball's hash matches the hash in the upload's changes
> file.

uscan is great. But for upstream that doesn't work with uscan,
maintainers can document it in debian/README.source file, or even add
a get-orig-source target in debian/rules[1].

[1] https://www.debian.org/doc/manuals/maint-guide/dreq.en.html#targets

-- 
Shengjing Zhu



More information about the ubuntu-devel mailing list