#1099111 dupload: Recent changes broke buildd-uploader

#1099111#5
Date:
2025-02-28 13:42:37 UTC
From:
To:
Hello,

the latest version of dupload breaks buildd-uploader from the src:sbuild package:

Feb 28 14:35:42 buildd-uploader[42155]: 2 jobs to upload in upload: dde-calendar_5.14.13-1_alpha.changes searchandrescue_1.7.0+dfsg-1_alpha.changes
Use of uninitialized value $u in substitution (s///) at /usr/share/perl5/Buildd/Uploader.pm line 254.
Use of uninitialized value $u in unlink at /usr/share/perl5/Buildd/Uploader.pm line 255.
Use of uninitialized value $u in concatenation (.) or string at /usr/share/perl5/Buildd/Uploader.pm line 256.
Use of uninitialized value $u in concatenation (.) or string at /usr/share/perl5/Buildd/Uploader.pm line 257.
Feb 28 14:35:44 buildd-uploader[42155]: dupload exit status 25/0
Feb 28 14:35:44 buildd-uploader[42155]: Removed  due to upload errors.

I have not investigated the problem in detail yet. However, downgrading dupload
to 2.11.2 fixes the problem for me.

Thanks,
Adrian

#1099111#10
Date:
2025-03-01 13:58:55 UTC
From:
To:
Hi!

I'd assume this is due to the new OpenPGP multi-backend support, which
makes the openpgp-hook require explicit keyrings options.

I suppose buildd might be failing like this if dupload exited with a
failure? (Which I think deserves its own bug report, to handle that
more gracefully.)

Before the upload I coordinated with Aurelien Jarno to make sure this
time around the buildds had the required config changes:

https://salsa.debian.org/dsa-team/mirror/dsa-puppet/-/commit/44cb84d9f0a85d29c82e63f2e8ad1eb9b92530cc

But, I guess the instance you are reporting for might be independent
from DSA?

The default debian hosts configured in the shipped conffile contain
the required changes so if you are using a custom one, then that might
need to be adapted? Otherwise it would be nice to know what's going
wrong.

I improved the error reporting on git, and will be adding a NEWS entry
because this fallout I guess was unexpected.

Thanks,
Guillem

#1099111#15
Date:
2025-03-01 16:07:12 UTC
From:
To:
Hello,

OK.

The DSA-maintained instances are only building the packages for the release
architectures. Debian Ports packages are built on separate machines and
therefore such configuration changes would have to be applied there as well:

https://salsa.debian.org/debian-ports-team/dsa-puppet

Not sure what you mean with "default Debian hosts"?

Yes, breaking changes should be communicated in the NEWS file and I suggest
that the required configuration changes are added to the default configuration
files of the src:sbuild package which also contains the buildd binary package.

Adrian

#1099111#20
Date:
2025-03-01 17:28:34 UTC
From:
To:
Hi!

Ah, sorry, I assumed this was all handled as part of the same
dsa-puppet repo that Aurelien fixed. The changes that were done for the
main buildds were to make sure the GnuPG pubring was in OpenPGP format
instead of the GnuPG specific keybox format (which is not portable), and
then those specific commits:

https://salsa.debian.org/dsa-team/mirror/dsa-puppet/-/commit/d4e099680d3bd964b0837849b68728ec3ce7b52e
https://salsa.debian.org/dsa-team/mirror/dsa-puppet/-/commit/44cb84d9f0a85d29c82e63f2e8ad1eb9b92530cc

This was done in stages, introducing the new keyring support in
dupload 2.12.0, the buildd setup updated, then 2.13.0 uploaded which
then required the keyrings support. Given that the keyrings settings
are optional it could be done even with the old version, then you
should be safe to upgrade dupload.

As I was not sure how this was being used I just tried to give enough
information to try to track this down. With "default Debian hosts"
I meant the stuff present in /etc/dupload.conf. But from your
explanation I assume this just needs the same treatment as the
official buildds.

I'm not sure the needed changes can be automated. In this case the
buildds need to add their own OpenPGP certificates into a keyring that
dupload can use, because those certificates are not present in any of
the official keyrings from the debian-keyring package.

(I've created an MR to use the new canonical name for the upload hosts,
but that should not change anything related to this issue
<https://salsa.debian.org/debian/sbuild/-/merge_requests/152>. I'll
also file a report about the Perl warnings.)

Thanks,
Guillem

#1099111#25
Date:
2025-03-12 16:20:32 UTC
From:
To:
Hi,

Hmm, I'm not sure which of these changes I need to pick up now. I'm a bit overwhelmed.

Also, I have seen even dupload 2.11.2 have the openpgp-check hook fail so I have to
force the upload with "--skip-hook=openpgp-check".

What would you suggest to do now on the Debian Ports buildds to avoid breakage when
updating?

Can't we just use the old system for the buildds? I'm not sure why dupload has
to make such complicated checks.

Adrian

#1099111#30
Date:
2025-03-14 08:48:17 UTC
From:
To:
Hello,

this issue still persists and I assume an entry needs to be added for dports:

glaubitz@stadler:~/libxml2$ dupload --to dports libxml2_2.12.7+dfsg+really2.9.14-0.3_sparc64.changes
dupload note: no announcement will be sent.
Checking OpenPGP signatures on libxml2_2.12.7+dfsg+really2.9.14-0.3_sparc64.changes...
openpgp-check: error: no OpenPGP keyring specified or present for host dports

dupload: error: Pre-upload '/usr/share/dupload/openpgp-check %1' failed for libxml2_2.12.7+dfsg+really2.9.14-0.3_sparc64.changes
glaubitz@stadler:~/libxml2$ dupload --to dports --skip-hook=openpgp-check libxml2_2.12.7+dfsg+really2.9.14-0.3_sparc64.changes
dupload note: no announcement will be sent.
dupload: warning: skipping pre-upload changes hook /usr/share/dupload/openpgp-check %1
Uploading (ftp) to ports-master.debian.org:/incoming/
[ Preparing job libxml2_2.12.7+dfsg+really2.9.14-0.3_sparc64 from libxml2_2.12.7+dfsg+really2.9.14-0.3_sparc64.changes
 libxml2-dbgsym_2.12.7+dfsg+really2.9.14-0.3_sparc64.deb, size ok, md5sum ok, sha1sum ok, sha256sum ok
 libxml2-dev_2.12.7+dfsg+really2.9.14-0.3_sparc64.deb, size ok, md5sum ok, sha1sum ok, sha256sum ok
 libxml2-utils-dbgsym_2.12.7+dfsg+really2.9.14-0.3_sparc64.deb, size ok, md5sum ok, sha1sum ok, sha256sum ok
 libxml2-utils_2.12.7+dfsg+really2.9.14-0.3_sparc64.deb, size ok, md5sum ok, sha1sum ok, sha256sum ok
 libxml2_2.12.7+dfsg+really2.9.14-0.3_sparc64.buildinfo, size ok, md5sum ok, sha1sum ok, sha256sum ok
 libxml2_2.12.7+dfsg+really2.9.14-0.3_sparc64.deb, size ok, md5sum ok, sha1sum ok, sha256sum ok
 python3-libxml2-dbgsym_2.12.7+dfsg+really2.9.14-0.3_sparc64.deb, size ok, md5sum ok, sha1sum ok, sha256sum ok
 python3-libxml2_2.12.7+dfsg+really2.9.14-0.3_sparc64.deb, size ok, md5sum ok, sha1sum ok, sha256sum ok
 libxml2_2.12.7+dfsg+really2.9.14-0.3_sparc64.changes ok ]
Uploading (ftp) to dports (ports-master.debian.org)
+ FTP passive mode selected
[ Uploading job libxml2_2.12.7+dfsg+really2.9.14-0.3_sparc64
 libxml2-dbgsym_2.12.7+dfsg+really2.9.14-0.3_sparc64.deb 1746.4 kB, ok (0 s, 1746.39 kB/s)
 libxml2-dev_2.12.7+dfsg+really2.9.14-0.3_sparc64.deb 702.9 kB, ok (1 s, 702.86 kB/s)
 libxml2-utils-dbgsym_2.12.7+dfsg+really2.9.14-0.3_sparc64.deb 74.8 kB, ok (0 s, 74.82 kB/s)
 libxml2-utils_2.12.7+dfsg+really2.9.14-0.3_sparc64.deb 94.2 kB, ok (0 s, 94.17 kB/s)
 libxml2_2.12.7+dfsg+really2.9.14-0.3_sparc64.buildinfo 8.7 kB, ok (0 s, 8.67 kB/s)
 libxml2_2.12.7+dfsg+really2.9.14-0.3_sparc64.deb 556.5 kB, ok (1 s, 556.52 kB/s)
 python3-libxml2-dbgsym_2.12.7+dfsg+really2.9.14-0.3_sparc64.deb 232.7 kB, ok (0 s, 232.68 kB/s)
 python3-libxml2_2.12.7+dfsg+really2.9.14-0.3_sparc64.deb 171.3 kB, ok (0 s, 171.28 kB/s)
 libxml2_2.12.7+dfsg+really2.9.14-0.3_sparc64.changes 4.4 kB, ok (1 s, 4.41 kB/s) ]
glaubitz@stadler:~/libxml2$ dpkg -l dupload
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
+++-==============-============-============-=================================
ii  dupload        2.13.2       all          Debian package upload tool
glaubitz@stadler:~/libxml2$

Adrian

#1099111#35
Date:
2025-03-14 12:58:07 UTC
From:
To:
That is not linked with debian-ports, just that you need to reconfigure
the build daemons.

You need to update the dupload.conf to point to
~buildd/.gnupg/pubring.gpg and enforce the old keyring format in
~buildd/.gnupg/gpg.conf. This is the purpose of the following puppet
commits:
https://salsa.debian.org/dsa-team/mirror/dsa-puppet/-/commit/d4e099680d3bd964b0837849b68728ec3ce7b52e
https://salsa.debian.org/dsa-team/mirror/dsa-puppet/-/commit/44cb84d9f0a85d29c82e63f2e8ad1eb9b92530cc

Then you also need to convert the gnupg keyring to the old format. You
can do that with the following command:

  gpg --export > ~/.gnupg/pubring.gpg && mv ~/.gnupg/pubring.kbx ~/.gnupg/pubring.kbx.disabled

Aurelien

#1099111#40
Date:
2025-03-14 14:07:40 UTC
From:
To:
Hi Aurelien,

OK, thanks for the instructions. I will perform this transition once I have
the time for touch all buildds at once and also can coordinate the change
with Michael Cree for imago.

Is there any particular reason why we should stick with he old GPG format?

Thanks,
Adrian

#1099111#45
Date:
2025-03-14 14:15:04 UTC
From:
To:
Hi,

Note that all thoses changes are compatible with dupload version 2.12.0

Because of the GPG schism, and that's actually the reason of all those
changes in dupload.

Cheers
Aurelien

#1099111#50
Date:
2025-04-20 11:53:52 UTC
From:
To:
Hi Guillem,

is there a way to just turn these checks off globally?

I have observed that even old versions of dupload now randomly try to
verify the signature which means I'm being spammed with failure mails.

I'm not sure why this happens despite dupload not being upgraded but
in any case I just want to turn these checks off.

I have seen that there is an environment variable called DUPLOAD_SKIP_HOOKS
but there doesn't seem to be an option which I can just add to /etc/dupload.conf
or ~/.dupload.conf.

Thanks,
Adrian

#1099111#55
Date:
2025-04-20 20:22:04 UTC
From:
To:
Hi Guillem,

Never mind. Turned out the signing key actually expired in this case and
the buildd in question had just been turned off for a long time and was
recently restarted without a heads-up, so the key was just old.

Sorry for the noise!

Adrian