Bug 12605 - Conflicting package ends up in repositories, despite being detected invalid during autobuild process.
: Conflicting package ends up in repositories, despite being detected invalid d...
Status: UNCONFIRMED
Product: maemo.org Website
Autobuilder
: unspecified
: ARM Maemo
: Unspecified major with 1 vote (vote)
: ---
Assigned To: Niels Breet
: repositories@maemo.bugs
:
:
:
:
  Show dependency tree
 
Reported: 2012-04-30 00:11 UTC by Piotr Jawidzyk
Modified: 2012-05-04 13:55 UTC (History)
0 users (show)

See Also:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description Piotr Jawidzyk (reporter) maemo.org 2012-04-30 00:11:29 UTC
EXACT STEPS LEADING TO PROBLEM: 

1. Developer try to upload package with exact name convention, as other package
being  crucial part of SSU repository.
2. Package gets detected as "conflicting" by autobuilder, as per:
https://garage.maemo.org/pipermail/extras-cauldron-builds/2012-April/042984.html

EXPECTED OUTCOME: 
Package is rejected.

ACTUAL OUTCOME: 
Armel binary landed in repository:
http://maemo.org/packages/view/libxau6/

REPRODUCIBILITY: 
Unknown - attempt same trick for actually working replacement (gcc-4.6) doesn't
produce package in repository. It is unknown, why libxau6 passed autobuilder.

EXTRA SOFTWARE INSTALLED: 

OTHER COMMENTS:
libxau6 (package in question here) is crucial dependency for many "safe to
install" packages like (S)NES or PSX emulators. Having broken version in
autobuilder is huge security risk - people may pull it unwillingly, while
updating other, seemingly unrelated packages. It actually *did* resulted in
reboot-looping device for many people.

It's obvious that developer lacked common sense, when uploading conflicting
package, but step 2 shows that it shouldn't land in repositories anyway, thus
definitely considered a bug.
Comment 1 Piotr Jawidzyk (reporter) maemo.org 2012-05-01 03:21:44 UTC
Bug 11709:
https://bugs.maemo.org/show_bug.cgi?id=11709
might have been another example of same problem.

/Estel
Comment 2 Niels Breet maemo.org 2012-05-04 13:55:32 UTC
I agree that the check should be fatal instead of just a warning. It would be
good if someone can help out with adding that feature to buildme:
https://garage.maemo.org/plugins/scmsvn/viewcvs.php/trunk/buildme/tools/?root=extras-cauldron

We can clean up packages one by one, but this won't make other packages
rebuild. This is why it would be very nice to have everything in OBS :)