SRUs and the importance of validating upstream release tarballs
Matthias Klose
matthias.klose at canonical.com
Fri Oct 4 09:49:32 UTC 2024
On 03.10.24 22:28, Steve Langasek wrote:
> On Thu, Oct 03, 2024 at 09:51:36PM +0800, Shengjing Zhu wrote:
>> On Wed, Oct 2, 2024 at 6:02 PM Robie Basak <robie.basak at ubuntu.com> wrote:
>
>>> If we take a fresh upstream release directly into a stable release
>>> update, then it seems to me that it's important to validate that the
>>> orig tarball matches what upstream released, or is otherwise
>>> reproducible against what upstream released (eg. if it was repacked for
>>> the usual reasons).
>
>>> It's not currently a documented hard requirement for SRUs, but I think
>>> that it should be, or at least be our default position.
>
>> Why is this only the hard requirement for SRU? IMHO It should be a
>> hard requirement for all the uploads.
>
> I agree, and it's something that I as an uploader take care of whenever I am
> in a situation of packaging a new upstream version. But there's no
> enforcement of it at the archive level (this wouldn't even be meaningful),
> so in the devel series we rely on individual uploaders to check/enforce this
> (just as we do in Debian).
>
> The SRU process however has an additional review step with the SRU team, so
> it is possible to impose such a check at that point.
I don't think this is necessary when the .orig tarball already is in the
archive for a newer release. Which extra checks do you want to perform?
Are there really cases, where you don't want the new upstream release
first in the development release?
Matthias
More information about the ubuntu-devel
mailing list