Lost .asc file in archive by not referencing it in an upload (Was: Re: OpenSSL updates)

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Lost .asc file in archive by not referencing it in an upload (Was: Re: OpenSSL updates)

Sebastian Andrzej Siewior
-security +dpkg

On 2018-03-29 16:09:32 [+0200], Salvatore Bonaccorso wrote:
> Hi,
Hi,

> One was rejected, because:
>
> openssl1.0_1.0.2l-2+deb9u3.dsc: Refers to non-existing file 'openssl1.0_1.0.2l.orig.tar.gz.asc'
> Perhaps you need to include the file in your upload?

the 9u1 upload did not have the .asc file referenced and so it got lost. What
could be done to avoid such mistakes in the future?
Would it make sense to let dak reject uploads for uploads of the same upstream
version when the .dsc files does not reference the .asc anymore? Or would it
better to teach dpkg-source to fail (based on a config switch) if the .asc
file is missing.

> Regards,
> Salvatore

Sebastian

Reply | Threaded
Open this post in threaded view
|

Lost .asc file in archive by not referencing it in an upload (Was: Re: OpenSSL updates)

Ian Jackson-2
Sebastian Andrzej Siewior writes ("Lost .asc file in archive by not referencing it in an upload (Was: Re: OpenSSL updates)"):

> On 2018-03-29 16:09:32 [+0200], Salvatore Bonaccorso wrote:
> > One was rejected, because:
> >
> > openssl1.0_1.0.2l-2+deb9u3.dsc: Refers to non-existing file 'openssl1.0_1.0.2l.orig.tar.gz.asc'
> > Perhaps you need to include the file in your upload?
>
> the 9u1 upload did not have the .asc file referenced and so it got lost. What
> could be done to avoid such mistakes in the future?
> Would it make sense to let dak reject uploads for uploads of the same upstream
> version when the .dsc files does not reference the .asc anymore? Or would it
> better to teach dpkg-source to fail (based on a config switch) if the .asc
> file is missing.

Would re-uploading the file have succeeded ?  If so, then using dgit
to do the upload would have DTRT because dgit checks with the archive
and always includes in the upload exactly the files which are not
present in the archive.

ian.

Reply | Threaded
Open this post in threaded view
|

Re: Lost .asc file in archive by not referencing it in an upload (Was: Re: OpenSSL updates)

Sebastian Andrzej Siewior
On 2018-04-09 14:18:37 [+0100], Ian Jackson wrote:

> Sebastian Andrzej Siewior writes ("Lost .asc file in archive by not referencing it in an upload (Was: Re: OpenSSL updates)"):
> > On 2018-03-29 16:09:32 [+0200], Salvatore Bonaccorso wrote:
> > > One was rejected, because:
> > >
> > > openssl1.0_1.0.2l-2+deb9u3.dsc: Refers to non-existing file 'openssl1.0_1.0.2l.orig.tar.gz.asc'
> > > Perhaps you need to include the file in your upload?
> >
> > the 9u1 upload did not have the .asc file referenced and so it got lost. What
> > could be done to avoid such mistakes in the future?
> > Would it make sense to let dak reject uploads for uploads of the same upstream
> > version when the .dsc files does not reference the .asc anymore? Or would it
> > better to teach dpkg-source to fail (based on a config switch) if the .asc
> > file is missing.
>
> Would re-uploading the file have succeeded ?  If so, then using dgit
> to do the upload would have DTRT because dgit checks with the archive
> and always includes in the upload exactly the files which are not
> present in the archive.

I am not 100% sure.
Usually every upload references the .asc file in the .dsc file but only
the first upload (the full-source upload) references the .asc file in
the .changes file (the rules seem to be the same as for the .orig file
from what I can tell).
So I *think* if I would manually fiddle the .asc file into the .changes
file then everything should be okay. If that is the case then dgit would
probably do the right thing. I don't know if DAK allows this - it might
not care.
However, I would like avoid losing the file in the first place :)

> ian.

Sebastian

Reply | Threaded
Open this post in threaded view
|

Re: Lost .asc file in archive by not referencing it in an upload (Was: Re: OpenSSL updates)

Kurt Roeckx
On Mon, Apr 09, 2018 at 10:13:38PM +0200, Sebastian Andrzej Siewior wrote:
> I don't know if DAK allows this - it might not care.

My understanding what that dak would keep it once it has it, and
that you can add it if dak doesn't know about it yet.


Kurt

Reply | Threaded
Open this post in threaded view
|

Re: Lost .asc file in archive by not referencing it in an upload (Was: Re: OpenSSL updates)

Sebastian Andrzej Siewior
On 2018-04-09 22:22:37 [+0200], Kurt Roeckx wrote:
> On Mon, Apr 09, 2018 at 10:13:38PM +0200, Sebastian Andrzej Siewior wrote:
> > I don't know if DAK allows this - it might not care.
>
> My understanding what that dak would keep it once it has it, and
> that you can add it if dak doesn't know about it yet.

okay. So we know that DAK removes it once no .dsc file points to it
anymore. And we *could* add it in a following upload if we fiddle it
into .changes file (or force a full-source upload instead).

> Kurt

Sebastian