Re: Resolving the kernel debug symbols vs signing problem

To: Ben Hutchings <ben@decadent.org.uk>, Debian kernel maintainers <debian-kernel@lists.debian.org>
Cc: Debian release team <debian-release@lists.debian.org>, ftpmaster@debian.org
Subject: Re: Resolving the kernel debug symbols vs signing problem
From: Niels Thykier <niels@thykier.net>
Date: Wed, 12 Apr 2017 07:50:00 +0000
Message-id: <[🔎] 6ecbe947-0fcc-5e90-3f83-cac5f499b9ef@thykier.net>
In-reply-to: <[🔎] 1491592637.2409.37.camel@decadent.org.uk>
References: <[🔎] 1491592637.2409.37.camel@decadent.org.uk>

Ben Hutchings:
> When implementing signed kernel packages, I wanted to make the signed
> image packages (built from linux-signed) take un-suffixed names so that
> existing procedures to install specific kernel versions would pick the
> signed packages, and users would be discouraged from installing
> unsigned packages.
> 

Hi,

That makes sense to me. :)  I particularly liked that part of the design
choice. :)

> This has interacted poorly with dak's handling of 'auto-built' debug
> symbol packages, as those are built by src:linux but don't include the
> '-unsigned' suffix in their names.  The debug symbol packages are added
> to the overrides file but are later automatically pruned, so that
> uploads that don't add new binary packages may still require NEW
> processing.

It almost certainly does.  The original plan for auto-built debug
packages were that they came from the same source.  This split between a
signed and unsigned package very much violates that basic assumption
that we had when we implemented dbgsym packages.

> I think this has to be solved before the stable release.
> 

I am probably missing something here, but wouldn't it be possible to go
back to the original -dbg (as a "worst case" option) and defer these
changes to buster?  Not saying I like it, I just want to know whether I
missed something.

> Therefore I intend to rename the binary packages as follows with the
> next uploads to unstable:
> 
> - src:linux builds linux-image packages without a name suffix
> - src:linux-signed builds linux-image packages with a '-signed' suffix
> - src:linux-latest builds linux-image meta-packages that depend on the
>   '-signed' package where available
> 

This would undo the very nice property of the image packages being
signed "by default", wouldn't it?

> One alternative could be to build duplicate debug symbol packages in
> src:linux and src:linux-signed, but that's a big waste of archive space
> and requires a maintainer to upload the debug symbol packages for one
> architecture (over 500 MiB per flavour) whenever there's an ABI bump.
> 
> Please let me know if you have a preference or an alternate solution.
> 

To be honest, at first glance I think I would prefer going back to -dbg
packages for stretch if it meant that the signed packages had no suffix.
 That said, ...

> (Also, if dak will not be signing packages in time for stretch,
> src:linux-signed must be removed from testing and the other packages
> changed accordingly.  I *will* *not* personally sign kernels for a
> stable release.)
> 
> Ben.
> 

Ok - I wouldn't want that responsibility either.  If the signed ones are
easy to re-implement, perhaps just switch now and add a blocker bug to
#820036 filed against linux.  That way, testing is closer to an
release-ready state, which is generally what we want right now.

Thanks,
~Niels

Reply to:

Follow-Ups:
- Re: Resolving the kernel debug symbols vs signing problem
  - From: Ben Hutchings <ben@decadent.org.uk>

References:
- Resolving the kernel debug symbols vs signing problem
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Processed: Re: Bug#859725: Acknowledgement (x11-common: Each time my screen standby, system crash)
Next by Date: Bug#859923: linux-image-4.9.0-2-amd64: mmap system call problem
Previous by thread: Resolving the kernel debug symbols vs signing problem
Next by thread: Re: Resolving the kernel debug symbols vs signing problem
Index(es):
- Date
- Thread