On Wed, 07 May 2025 at 14:39:00 +0100, Ian Jackson wrote:
F. Abolish binNMUs and just do no-change source-only uploads.
I think there is at least rough consensus that binNMUs are not great and
what we ideally want is changelog-only sourceful uploads instead (as
seen as foo_1.2-3build4 in Ubuntu), but only if that can be done without
making the release team's job harder.
If we want every .dsc file to be signed so that it has an audit trail,
then a changelog-only sourceful upload of 1000 packages[1] requires
someone or something with upload access to generate and sign 1000 .dsc
files, which is going to take a while (I certainly wouldn't want to do
that using a hardware cryptographic token, especially one that is
configured to require a touch or PIN per signature).
I don't think tag2upload is necessarily going to help here, because
making and tagging 1000 git commits doesn't seem a whole lot easier than
making and signing 1000 .dsc files, even if they all happen to be for
packages that already exist in a tag2upload-compatible git repo. A
different automated tool whose security model is less like "the original
git commit was signed by someone with upload rights who could equally
well have prepared the .dsc themselves", and more like "the
actually-source package was obtained from the archive, and the automated
tool has verifiably only added one more changelog entry at the top"
could maybe help?
(Or, thinking slightly more outside the box, a new dpkg source package
format variant that consists of the files of the actually-source
package, or an equivalent tag2upload-style tag, plus a machine-readable
instruction of the form "please rebuild a list of packages that includes
this one, with the specified changelog entry"?)
smcv
[1] a somewhat extreme real-world example: I count 1063 distinct source
packages in
https://lists.debian.org/debian-release/2025/04/msg00074.html
