maemo.org Bugzilla – Bug 12605
Conflicting package ends up in repositories, despite being detected invalid during autobuild process.
Last modified: 2012-05-04 13:55:32 UTC
You need to
before you can comment on or make changes to this bug.
EXACT STEPS LEADING TO PROBLEM:
1. Developer try to upload package with exact name convention, as other package
being crucial part of SSU repository.
2. Package gets detected as "conflicting" by autobuilder, as per:
Package is rejected.
Armel binary landed in repository:
Unknown - attempt same trick for actually working replacement (gcc-4.6) doesn't
produce package in repository. It is unknown, why libxau6 passed autobuilder.
EXTRA SOFTWARE INSTALLED:
libxau6 (package in question here) is crucial dependency for many "safe to
install" packages like (S)NES or PSX emulators. Having broken version in
autobuilder is huge security risk - people may pull it unwillingly, while
updating other, seemingly unrelated packages. It actually *did* resulted in
reboot-looping device for many people.
It's obvious that developer lacked common sense, when uploading conflicting
package, but step 2 shows that it shouldn't land in repositories anyway, thus
definitely considered a bug.
might have been another example of same problem.
I agree that the check should be fatal instead of just a warning. It would be
good if someone can help out with adding that feature to buildme:
We can clean up packages one by one, but this won't make other packages
rebuild. This is why it would be very nice to have everything in OBS :)