#1109680 release.debian.org: use lintian results to block testing migration

#1109680#5
Date:
2025-07-21 20:26:09 UTC
From:
To:
Hi,

I'm moving here the discussion that started on #debian-qa.

I wrote a CGI script¹ that exports lintian results per source package,
as YAML.

¹ https://salsa.debian.org/qa/udd/-/blob/master/web/cgi-bin/lintian-britney.cgi?ref_type=heads
http://udd.debian.org/cgi-bin/lintian-britney.cgi?tags=unstripped-binary-or-object,source-nmu-has-incorrect-version-number

The output looks like:
-------------------------------------------------->8
# package that has none of the tags listed
a2jmidid/9-3.1:
  # architectures for which lintian was run
  architectures: amd64 arm64 armel armhf i386 mips64el ppc64el riscv64 s390x source
  tags:
[...]
# package with one of the tags listed
a52dec/0.7.4-20:
  architectures: amd64 arm64 armel armhf i386 mips64el ppc64el riscv64 s390x source
  tags:
  - source-nmu-has-incorrect-version-number
[...]
# package that failedGG
latex-cjk-chinese-arphic/2.2:
  architectures:
  status: lintian failed
-------------------------------------------------->8

The pseudo code to block packages would look like:
1. find stanza for source/version, if it cannot be found, we probably
   want to wait until the package is processed.
2. if it contains 'status'='lintian failed', either block the package,
   or ignore lintian alltogether
3. examine the architectures field.  does it contain enough
   architectures, compared to those we want to migrate? (we might not
   want to wait for all architectures, but it's probably a good idea to
   wait for a few ...)
4. examine the list of tags

The output could link to e.g. https://udd.debian.org/lintian/?a52dec
(The default display only lists errors and warnings, but I suppose we
are not going to block on anything else)

Let me know if that works for you.

I saw the discussion about the number of tag occurences for a given
source package, that should be used to identify regressions. Tags are
currently only listed once per source. It would be possible to add the
number of occurences for each tag (with distinct "information"). Let me
know.

Lucas

#1109680#12
Date:
2025-08-12 15:39:14 UTC
From:
To:
Hi Lucas,

Thanks for the interface.


Have the 4 failures been reported to the src:lintian? All 4 packages are
in testing and I don't want to block them on new uploads for a failure
of lintian to run. Skipping the lintian check doesn't sound great.


For reproducible builds and autopkgtests we have a retry button. How
much sense do you think that makes for lintian? If we expect to have
failures like above, I think it would be good for maintainers to have
the option to retry. How often does udd retry by itself?


Currently I'm only thinking of aliased-location, which we really want to
prevent altogether, but in the future we might want to add things that
shouldn't regress. But maybe we can delay that to when we get there
unless you already have a good idea for that?

Paul

#1109680#17
Date:
2025-08-12 20:05:25 UTC
From:
To:
I don't think a regression approach makes sense for lintian tags,
especially not for warnings.

When a package has a new binary that does not have a manpage,
there is a new lintian warning.

A missing manpage is a problem in a package that should be visible,
but I don't see how this could warrant blocking testing migration.

If you block testing migration on that, you are forcing the maintainer
to hide the problem by adding a lintian override.

A regression approach also means that a manual hint is needed when a
package that got removed from testing (sometimes by a release team
member to help a transition) wants to reenter - it already happens in
rare cases with binary-all packages not installable on arm64, but
lintian warnings are not rare.

It would make more sense to block unconditionally (regression or not)
on a whitelist of lintian errors the release team does not want to have
in the next release.

Or announce that migration will be blocked on all lintian errors after
the release of forky, only displaying the information in excuses until
then (similar to reproducible).

Regarding the implementation, instead of waiting on another external
service that runs lintian it might be an option that britney
automatically adds an superficial autopkgtest to every package
running something line "lintian --fail-on error".

cu
Adrian

#1109680#22
Date:
2025-08-13 05:18:01 UTC
From:
To:
Hi Adrian,


This is what we envision at the moment, we'll be in control of which
lintian tags we want to block on.


We already depend on udd, so that's not new. And even if we would
pursue, how do you envision interaction of britney2 with autopkgtest to
add that test? That's not supported on any of the levels, so that's
quite a big change. And again, we only want to block on particular tags,
not everything that lintian thinks it's wise to report.

Paul

#1109680#27
Date:
2025-08-13 05:18:07 UTC
From:
To:
I understand that the plan is to block on a small subset of tags (which
probably wouldn't include missing manpages).

Lucas

#1109680#32
Date:
2025-08-13 05:15:02 UTC
From:
To:
I thought I filed the bugs already, but it does not look like it. Done
now:

#1110968: lintian: fails to process qps_2.10.0-1_amd64.deb, angband-data_4.2.5+dfsg1-3_all.deb, gedit-plugin-smart-spaces_48.1-2_amd64.deb: YAML::XS::Load Error: The problem: mapping keys are not allowed in this context
#1110969: lintian: fails to process latex-cjk-chinese-arphic-gbsn00lp_2.2_all.deb

Lintian results look very stable. The UDD runner currently does not
retry (refresh) packages that were tested successfully (= lintian exits
with 0, but might have identified errors, warnings, etc.).
It retries frequently (several times per day) the few packages where
lintian failed, so temporary failures should not stay for long.

Ah, I thought the plan was to phase out the lintian runs on ftp-master
and replace them by lintian runs on testing migration

I added the count of distinct "information" for each tag, which is
probably enough to identify if something changed in the wrong direction.

tinc/1.1~pre18-1:
  architectures: amd64 arm64 armel armhf i386 mips64el ppc64el riscv64 s390x source
  tags:
    aliased-location: 5

Lucas

#1109680#37
Date:
2025-08-13 10:57:59 UTC
From:
To:
Hi Paul,

udd is not new, but the service running lintian would be a new dependency.

At what point is debian/control parsed to detect lines like
  Testsuite: autopkgtest-pkg-go
?

At that point it should be possible to inject a test into every package
that does something like
  Test-Command: lintian --fail-on error -T aliased-location /path/to/*.deb
  Restrictions: superficial

cu
Adrian

#1109680#42
Date:
2025-08-13 11:25:07 UTC
From:
To:
Hi


That's done in britney2.


No, because the reading of the test suite is done on ci.d.n by
/usr/bin/autopkgtest. So what would be needed is autopkgtest to get an
interface to add tests from the outside, debci to grow an interface to
accept the same information and pass it on to autopkgtest and britney2
to use that new debci interface.

What would you use as Test-Depends? I would naively say, all binaries,
but what if not all binaries from one source are co-installable? Even if
we'd solve that, /path/to/*.deb would be /var/cache/apt/archives/*.deb
(but only those of the source under test). Can we rely on /var/cache? As
an alternative, the test could download all the binaries *in* the test,
but that feels clumsy for the 99% of the cases where we have just done
so to install the Test-Depends of the other tests.

Oh, and autopkgtest uses autodep8 automatically. So packages in
supported classes that haven't opted in to using that (e.g. because it
doesn't work on their package) suddenly see themselves being tested and
might fail.

Paul

#1109680#47
Date:
2025-08-21 09:49:04 UTC
From:
To:
Probably the above doesn't work because of how thunderbird breaks lines
and the bts reads those, but humans can still read it.


My current implementation doesn't use that yet, but I've based my work
on the current format. Please consider that interface now to have users.

Paul

#1109680#52
Date:
2025-08-23 08:47:12 UTC
From:
To:
Hi,


This now is active,
seehttps://qa.debian.org/excuses.php?package=gitlab-ci-multi-runner

Thanks for your work on this and the idea.

Paul

#1109680#61
Date:
2025-08-24 06:22:34 UTC
From:
To:
Hi Lucas,


I'm reopening this bug to discuss extension of the output. On #d-ftp I
informed ftp-master of this work and informed them we could take over
tags that work only on binaries. I should have realized before, but for
some of the tags they allow the maintainers to lintian-override the tag.
I think it would be useful if we had that too. I guess we somehow need
to add the information if a tag was overridden (for all instances) or not.

Paul

[1] https://paste.ganneff.de/2025-08-23-kX7HU26RXQs/lintian.tags

#1109680#68
Date:
2025-08-25 06:57:08 UTC
From:
To:
How about something like this:

gcc-15/15.2.0-1:
  architectures: all amd64 arm64 armel armhf i386 mips64el ppc64el riscv64 s390x source
  tags:
    binary-from-other-architecture:
      count: 66
      overridden: 164

'count' is the number of non-overriden matches.

https://udd.debian.org/lintian/?email1=&email2=&email3=&packages=gcc-15&ignpackages=&format=html<_error=on<_overridden=on&lintian_tag=binary-from-other-architecture#all


For reference, the UDD query to find interesting cases:
select tag, source, count(distinct tag_type)
from lintian_results
where tag_type in ('error', 'overridden')
group by tag, source
having count(distinct tag_type) = 2;

Lucas

#1109680#73
Date:
2025-08-28 08:31:00 UTC
From:
To:
Hi,


Looks fine to me :).

Paul

#1109680#78
Date:
2025-08-28 08:36:19 UTC
From:
To:
OK, should I push the changes? (I guess that will break the parsing on
your side)

Lucas

#1109680#83
Date:
2025-08-28 08:43:24 UTC
From:
To:
Hi,


I just checked in the test-suite, but it doesn't seem to brake it as I'm
not yet using the information in the tag.

Paul

#1109680#88
Date:
2025-08-28 09:05:13 UTC
From:
To:
ACK, change deployed.

Lucas