• Misc Developer News (#60)

    From Philipp Kern@21:1/5 to All on Sat Nov 23 22:30:01 2024
    --c1ffce593f9354cc30c45a58555f01a00d7f0776dc64ee1927612e0911dc Content-Transfer-Encoding: quoted-printable
    Content-Type: text/plain; charset=UTF-8

    The news are collected on https://wiki.debian.org/DeveloperNews
    Please contribute short news about your work/plans/subproject.

    In this issue:

    + Debian buildds are using sbuild with unshare now
    + sbuild chroot manager for unshare backend users
    + Building packages with make --shuffle
    + debian.org: Support for Security Key-backed SSH keys

    Debian buildds are using sbuild with unshare now ------------------------------------------------

    The wanna-build team switched all buildds to the sbuild unshare backend
    for trixie/sid/experimental plus *-backports. This means that official
    Debian builds now run as non-root user and rely on user namespaces
    instead of schroot. In addition this blocks any network access during
    the build as per Debian policy 4.9.

    Prior to the switch Santiago Vila did test rebuilds of all packages and
    bugs have been filed:

    https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=unshare;users=debian-wb-team@lists.debian.org

    Help is welcome to fix the remaining bugs.

    We recommend all developers to use sbuild with unshare as well.
    Notes on how to set it up as well as hints for custom usage are collected
    on the Wiki:

    https://wiki.debian.org/sbuild

    -- Jochen Sprickerhof

    sbuild chroot manager for unshare backend users -----------------------------------------------

    After installing sbuild 0.87.0 or later from unstable, you can now build
    packages without any additional setup. With an empty ~/.sbuildrc and
    with no chroot tarballs in ~/.cache/sbuild, just run this to build the
    "hello" source package:

    sbuild --chroot-mode=unshare --dist=unstable hello

    To keep the dynamically created chroot tarball for subsequent builds, you
    can make this configuration permanent by putting this into your
    ~/.sbuildrc:

    $chroot_mode = 'unshare';

    $unshare_mmdebstrap_keep_tarball = 1;

    Whenever a chroot tarball doesn't exist yet, or whenever an existing
    tarball is too old, sbuild will take care of creating one for you
    automatically. If you want to customize the contents of the tarballs
    sbuild creates, read the documentation of UNSHARE_MMDEBSTRAP_EXTRA_ARGS
    in sbuild.conf(5).

    The new chroot management functionality is marked as experimental and any
    feedback is very much appreciated.

    -- Johannes Schauer Marin Rodrigues

    Building packages with make --shuffle
    -------------------------------------

    I've built trixie/sid using make's new --shuffle option from make 4.4.x.
    This option is explained by the author here:

    https://trofi.github.io/posts/238-new-make-shuffle-mode.html

    There are more than 800 packages with Makefile issues. I've created this
    page with build logs, a dd-list, and a short explanation of how you can
    do the same using sbuild:

    https://people.debian.org/~sanvila/make-shuffle/

    Not filing bugs yet, because there are too many, but everyone is
    welcome to fix their own packages as part of their routine QA checks
    (i.e. if you care about your package being lintian clean and
    reproducible, you might want to care about your makefiles being
    correct too).

    Special thanks go to VĂ­ctor Seva, who reduced the number of
    affected packages (no longer in the list) by 85 by fixing several issues
    in dh-lua, and of course also to Sergei Trofimovich, who implemented
    --shuffle option in make in the first place.

    -- Santiago Vila

    debian.org: Support for Security Key-backed SSH keys ----------------------------------------------------

    debian.org's mail gateway now allows DDs and guests to add SSH keys of
    the types sk-ecdsa-sha2-nistp256@openssh.com and
    sk-ssh-ed25519@openssh.com to their LDAP accounts. Keys of these types
    are backed by hardware tokens and generally require a physical touch for
    SSH access. As such they provide stronger assurances about humans
    accessing our infrastructure.

    -- Philipp Kern

    --c1ffce593f9354cc30c45a58555f01a00d7f0776dc64ee1927612e0911dc
    Content-Type: application/pgp-signature; name="signature.asc"

    -----BEGIN PGP SIGNATURE-----

    iQEzBAABCgAdFiEEPzuChCNsw7gPxr3/RG4lRTXQVuwFAmdCRy0ACgkQRG4lRTXQ Vuw1BQf/XvcmP06hh4EUZxqo7waO7MzxsNEbFpXyQ9oZjEVmbL3KT6t4w+kcpxMk vmeh/85P9PwzKBNyYrI8F+/OGim7t9o54x3RCv154Ba+qBsmy2YqBj5VbG31GuWm zbzGMPHk2KE4bMlUWorhA5fKveQxjPXUd+KSnj/ddDVhWE+EozgxTPMw+UGVUui+ U2x+1/6t/MOU1DmSrC/b/fHEptzURhvnh+wzqB2dX4nz3fR96d0jcOm/+CFyij+v mRxT6JzNyEcuQsLfPHKFGaAVpBPZGhSzFd0PXSMycha++JXCnLjch37andqWi0F4 DbkLvs705K830kqu0DGPtNIVPvqTQQ==1GPE
    -----END PGP SIGNATURE-----

    --c1ffce593f9354cc30c45a58555f01a00d7f0776dc64ee1927612e0911dc--

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)