Re: Resolving the kernel debug symbols vs signing problem
Ben Hutchings:
> When implementing signed kernel packages, I wanted to make the signed
> image packages (built from linux-signed) take un-suffixed names so that
> existing procedures to install specific kernel versions would pick the
> signed packages, and users would be discouraged from installing
> unsigned packages.
>
Hi,
That makes sense to me. :) I particularly liked that part of the design
choice. :)
> This has interacted poorly with dak's handling of 'auto-built' debug
> symbol packages, as those are built by src:linux but don't include the
> '-unsigned' suffix in their names. The debug symbol packages are added
> to the overrides file but are later automatically pruned, so that
> uploads that don't add new binary packages may still require NEW
> processing.
It almost certainly does. The original plan for auto-built debug
packages were that they came from the same source. This split between a
signed and unsigned package very much violates that basic assumption
that we had when we implemented dbgsym packages.
> I think this has to be solved before the stable release.
>
I am probably missing something here, but wouldn't it be possible to go
back to the original -dbg (as a "worst case" option) and defer these
changes to buster? Not saying I like it, I just want to know whether I
missed something.
> Therefore I intend to rename the binary packages as follows with the
> next uploads to unstable:
>
> - src:linux builds linux-image packages without a name suffix
> - src:linux-signed builds linux-image packages with a '-signed' suffix
> - src:linux-latest builds linux-image meta-packages that depend on the
> '-signed' package where available
>
This would undo the very nice property of the image packages being
signed "by default", wouldn't it?
> One alternative could be to build duplicate debug symbol packages in
> src:linux and src:linux-signed, but that's a big waste of archive space
> and requires a maintainer to upload the debug symbol packages for one
> architecture (over 500 MiB per flavour) whenever there's an ABI bump.
>
> Please let me know if you have a preference or an alternate solution.
>
To be honest, at first glance I think I would prefer going back to -dbg
packages for stretch if it meant that the signed packages had no suffix.
That said, ...
> (Also, if dak will not be signing packages in time for stretch,
> src:linux-signed must be removed from testing and the other packages
> changed accordingly. I *will* *not* personally sign kernels for a
> stable release.)
>
> Ben.
>
Ok - I wouldn't want that responsibility either. If the signed ones are
easy to re-implement, perhaps just switch now and add a blocker bug to
#820036 filed against linux. That way, testing is closer to an
release-ready state, which is generally what we want right now.
Thanks,
~Niels
Reply to: