The lie in Ubuntu source packages (and probably Debian ones as well)

March 7, 2018

I tweeted:

One of the things that pisses me off about the Debian and Ubuntu source package format is that people clearly do not actually use it to build packages; they use other tools. You can tell because of how things are broken.

(I may have been hasty in tarring Debian with this particular brush but it definitely applies to Ubuntu.)

Several years ago I wrote about one problem with how Debian builds from source packages, which is that it doesn't have a distinction between the package's source tree and the tree that the package is built in and as a result building the package can contaminate the source tree. This is not just a theoretical concern; it's happened to us. In fact it's now happened with both the Ubuntu 14.04 version of the package and then the Ubuntu 16.04 version, which was contaminated in a different way this time.

This problem is not difficult to find or notice. All you have to do is run debuild twice in the package's source tree and the second one will error out. People who are developing and testing package changes should be doing this all the time, as they build and test scratch versions of their package to make sure that it actually has what they want, passes package lint checks, and so on.

Ubuntu didn't find this issue, or if they found it they didn't care enough to fix it. The conclusion is inescapable; the source package and all of the documentation that tells you to use debuild on it is a lie. The nominal source package may contain the source code that went into the binary package (although I'm not sure you can be sure of that), but it's not necessarily an honest representation of how the package is actually built by the people who work on it and as a result building the package with debuild may or may not reproduce the binary package you got from Ubuntu. Certainly you can't reliably use the source package to develop new versions of the binary package; one way or another, you will have to use some sort of hack workaround.

(RPM based distributions should not feel too smug here, because they have their own package building issues and documentation problems.)

I don't build many Ubuntu packages. That I've stumbled over two packages out of the few that I've tried to rebuild and they're broken in two different ways strongly suggests to me that this is pretty common. I could be unlucky (or lucky), but I think it's more likely that I'm getting a reasonably representative random sample.

PS: If Ubuntu and/or Debian care about this, the solution is obvious, although it will slow things down somewhat. As always, if you really care about something you must test it and if you don't bother to test it when it's demonstrably a problem, you probably don't actually care about it. This is not a difficult test to automate.

(Also, if debuild is not what people should be using to build or rebuild packages these days, various people have at least a documentation problem.)

Comments on this page:

By dozzie at 2018-03-07 05:33:32:

[...] run debuild twice in the package's source tree and the second one will error out. People who are developing and testing package changes should be doing this all the time [...]

Actually no, they probably don't run debuild twice on the same directory. They probably unpack the source package and run debuild or dpkg-buildpackage on a clean and fresh source tree -- or at least that's how I do things.

By Vincent Bernat at 2018-03-07 09:37:37:

Not being able to build a package twice in a row is considered to be a bug. It is not much tracked nowadays because it's a bit useless to do that. People usually uses something like sbuild or pbuilder to build the package in a clean chroot (builders also do that).

For Debian, one architecture may be built by the uploader while others are built by dedicated builders. For Ubuntu, all architectures are built with builders. This will be the norm one day in Debian too.

As for documentation, this is a known problem and there is not enough workforce to keep it updated. Notably, in Debian, we have so many ways to do things that we have so many outdated documents.

Written on 07 March 2018.
« Getting chrony to not try to use IPv6 time sources on Fedora
Some things I mean when I talk about 'forged HTTP referers' »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Mar 7 01:43:26 2018
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.