Overview
Request 1167145 superseded
- revert the switch to tar_scm which dropped the signature
validation
- switch back to tarballs because the upstream tarballs are not
gone
- reinstanciate keyring from Lasse
- go back to the last release signed by Lasse (5.4.2)
- revert multibuild, drop service and rpmlintrc
- revert version number messup
- remove payload setting, we are using zstd now
- Switch to using tar_scm for fetching the sources as the upstream
tarballs on github are gone
- introduce _multibuild to allow building the translations outside
of Ring0 and everything else in Ring0
- add rpmlintrc to silence harmless warnings
- Created by dirkmueller
- In state superseded
- Supersedes 1164502 1164585 1164977
- Superseded by 1167536
- Open review for openSUSE:Factory:Staging:O
-
Open review for
opensuse-review-team
Source URLs are not valid. Try `osc service runall download_files`. xz-5.4.6.tar.gz /home/go/co/1164502/xz/xz-5.4.6.tar.gz differ: byte 1, line 1 ERROR: download_files is configured to fail when the upstream file is different than the committed file... this is the case!
Absolutely not - do not EVER think about Epoch solving any issue. It only CREATES issues
Care to elaborate? Epoch was introduced to solve exactly this issue. It ensures that the new 5.4 sorts higher than the backdoored 5.6
epoch is just broken by design.
https://en.opensuse.org/openSUSE:Package_versioning_guidelines
Bumping the Epoch: field. Note that openSUSE discourages and does not use epochs, one reason being that zypper can actually handle downgrades (unlike yum, presumably) with zypper dup and zypper in. In fact, Epoch is considered harmful, citing the Maximum RPM book:
e.g. BuildRequires: xz > 5.6 will be satisfied by even xz 1:1.0 - all versioned deps are totally broken whenever epoch is in the play.
The current version used guarantees exactly what we want: it is NEWER than 5.6.1 (5.6.1.revertto5.4 > 5.6.1)
mentioning all the things I mentioned to Dan on slack:
- obs_scm instead of tar_scm ?
- the service rewrites version - so running this _servcice file breaks the spec
- Name: must differ between the flavors (xz vs xz-lang)
- technically, bcond_with lang is wrong - it's not externally controlled build conditions (e.g. osc build --with=lang) (we use this error often - but that does not make it right)
That's technically not what is done anymore: it was switched to obs_scm
xz:lang fails to build (also in the devel project):
[ 11s] + exec rpmbuild -ba --define '_srcdefattr (-,root,root)' --nosignature --target=x86_64_v3-linux,x86_64-linux --define '_build_create_debug 1' --define 'disturl obs://build.opensuse.org/openSUSE:Factory:Staging:A/standard/fe5d61dfe1b5a1557320b18494f93beb-xz:lang' /home/abuild/rpmbuild/SOURCES/xz.spec [ 11s] error: line 84: %package -n xz-lang: package xz-lang already exists [ 11s] Building target platforms: x86_64_v3-linux,x86_64-linux
Request History
dirkmueller created request
- revert the switch to tar_scm which dropped the signature
validation
- switch back to tarballs because the upstream tarballs are not
gone
- reinstanciate keyring from Lasse
- go back to the last release signed by Lasse (5.4.2)
- revert multibuild, drop service and rpmlintrc
- revert version number messup
- remove payload setting, we are using zstd now
- Switch to using tar_scm for fetching the sources as the upstream
tarballs on github are gone
- introduce _multibuild to allow building the translations outside
of Ring0 and everything else in Ring0
- add rpmlintrc to silence harmless warnings
anag+factory set openSUSE:Factory:Staging:O as a staging project
Being evaluated by staging project "openSUSE:Factory:Staging:O"
anag+factory accepted review
Picked "openSUSE:Factory:Staging:O"
factory-auto added opensuse-review-team as a reviewer
Please review sources
factory-auto accepted review
Check script succeeded
licensedigger accepted review
ok
dirkmueller superseded request
superseded by 1167536
This is already listed as source2
As you reverted the multibuild, this rpmlintrc is no longer needed
Technically, I wonder if you don't want to just rebranch from factory to base:system. And just kill all the diff. There seems to be basically nothing that really justifies this 'update'
Actually we go back even more so makes sense. It's just messy as so much happened in between (with the attempt to go git checkout)
I'm okay with reverting the previous changes entries
Actually, on a second thought I'd like to keep them around to document the reasons for going back to gpg verified tarballs. Just in case somebody else comes up with the same idea again in the future.