SRUs and the importance of validating upstream release tarballs
Steve Langasek
steve.langasek at ubuntu.com
Thu Oct 3 20:28:19 UTC 2024
On Thu, Oct 03, 2024 at 09:51:36PM +0800, Shengjing Zhu wrote:
> On Wed, Oct 2, 2024 at 6:02 PM Robie Basak <robie.basak at ubuntu.com> wrote:
> > If we take a fresh upstream release directly into a stable release
> > update, then it seems to me that it's important to validate that the
> > orig tarball matches what upstream released, or is otherwise
> > reproducible against what upstream released (eg. if it was repacked for
> > the usual reasons).
> > It's not currently a documented hard requirement for SRUs, but I think
> > that it should be, or at least be our default position.
> Why is this only the hard requirement for SRU? IMHO It should be a
> hard requirement for all the uploads.
I agree, and it's something that I as an uploader take care of whenever I am
in a situation of packaging a new upstream version. But there's no
enforcement of it at the archive level (this wouldn't even be meaningful),
so in the devel series we rely on individual uploaders to check/enforce this
(just as we do in Debian).
The SRU process however has an additional review step with the SRU team, so
it is possible to impose such a check at that point.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer https://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20241003/de9f6f0f/attachment.sig>
More information about the ubuntu-devel
mailing list