Hi Andreas, On Fri, 01 Aug 2025, Andreas Tille wrote: > I was especially encouraged that, after last year's BoF, one developer > was inspired to open a merge request enhancing DAK[f05]. It would be > wonderful to see similar initiatives for the following areas: [...] > B. Building Binary Artifacts for Review > While Debian maintainers typically perform source-only uploads, > FTPMasters need to inspect the actual binary artifacts during NEW > processing. Creating a reliable way to build these binaries - ideally > reproducing exactly what would be uploaded - would significantly > streamline the review process. This could be a build tool, a CI job, > or integration into existing infrastructure.
The way you present this seems to perfectly match what Debusine is able to do (with its sbuild workflow[1]). DAK could be modified to make an API call to debusine.debian.net to start a build workflow (in a private workspace restricted to ftpmasters) and the built binaries can be later fetched from debusine.debian.net directly (or we figure out some other way for Debusine to push back those binaries to DAK). Those binaries would only be used for the review process (since they are not built on official buildd) and they would be thrown away afterwards. If that would be a helpful thing to work on so that we can get rid of the requirements of uploading binary packages together with the NEW source packages, then we can certainly try to work on this. And stepping back a little bit, that workflow could do more than just building the required binary packages. It could possibly run some other tools automatically (i.e. licensecheck or similar) and make the results available to streamline the work of the ftpmasters reviewing NEW. This is typically something that would be in scope for Debusine. Among the goals that we set for ourselves with Debusine is offering a common set of tools to review packages and package updates. In Debian, we are reviewing packages in multiple places: - ftpmasters for NEW - stable release managers - security team(s) for maintainer-provided security updates - mentors.debian.net - etc. For now, we have focussed on the security workflows with the possibility to run autopkgtest on reverse dependencies and detecting new failures (regressions). We have also developed a task to run "debdiff" against the version in the target suite, and we have the obvious other QA tools (lintian, piuparts, blhc). But over time we hope to expand the features to help more teams and provide a more consistent approach across all of Debian. If the next team expressing interest is ftpmasters to help with NEW, that would be fantastic! Cheers, [1] https://freexian-team.pages.debian.net/debusine/reference/workflows/specs/sbuild.html -- ⢀⣴⠾⠻⢶⣦⠀ Raphaël Hertzog <hert...@debian.org> ⣾⠁⢠⠒⠀⣿⡁ ⢿⡄⠘⠷⠚⠋ The Debian Handbook: https://debian-handbook.info/get/ ⠈⠳⣄⠀⠀⠀⠀ Debian Long Term Support: https://deb.li/LTS
signature.asc
Description: PGP signature
