XPost: linux.debian.maint.dpkg, linux.debian.policy

Package: debian-policy
X-Debbugs-CC: debian-dpkg@lists.debian.org, ftpmaster@debian.org, jspricke@debian.org, josch@debian.org

Dear Policy Editors,

it appears that currently there is no requirement for d/control to
stay the same before and after a build. However, many things require
this to be the case, and ftp-master also requires this in their
reject-faq [1].

Below is a minimal patch, mostly as a discussion starter. I've
ponderred if listing examples of things breaking would be good, but
decided against it for the policy text.

This change suggestion started when Jochen et al discovered that the
"pcp" package currently rewrites its d/control file, which causes
rebuilds of the in-archive package to produce a different result. [2]


Thanks,
Chris


[1] https://ftp-master.debian.org/REJECT-FAQ.html "debian/control breakage #2" [2] https://reproduce.debian.net/amd64/#pcp and https://bugs.debian.org/1102289

(CC'ed people I expect to be interested.)


diff --git i/policy/ch-controlfields.rst w/policy/ch-controlfields.rst
index 3151816..cffca22 100644
--- i/policy/ch-controlfields.rst
+++ w/policy/ch-controlfields.rst
@@ -98,7 +98,8 @@ Debian source package template control files -- ``debian/control``

The ``debian/control`` file contains the most vital (and
version-independent) information about the source package and about the -binary packages it creates.
+binary packages it creates. The file must stay unchanged when building
+a package.

The first stanza of the control file contains information about the
source package in general. The subsequent stanzas each describe a

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.policy

Several packages do generate d/control: https://codesearch.debian.net/search?q=control.in+path%3Adebian%2Frules&literal=0


Le lun. 7 avr. 2025 à 15:12, Simon Josefsson <simon@josefsson.org> a écrit :

Is there any reasonable situation where modification (during build) of
ANY existing files under debian/ is a good idea?

I know modifying existing non-debian/ files is common to patch
source-level problems, but is modifying existing debian/ files wide
spread? Could anyone do a archive-wide non-root rebuild with 'chmod -R
-w debian/' with debian/ owned by some other user?

/Simon

Chris Hofstaedtler <zeha@debian.org> writes:

Package: debian-policy
X-Debbugs-CC: debian-dpkg@lists.debian.org, ftpmaster@debian.org,

jspricke@debian.org, josch@debian.org

Dear Policy Editors,

it appears that currently there is no requirement for d/control to
stay the same before and after a build. However, many things require
this to be the case, and ftp-master also requires this in their
reject-faq [1].

Below is a minimal patch, mostly as a discussion starter. I've
ponderred if listing examples of things breaking would be good, but
decided against it for the policy text.

This change suggestion started when Jochen et al discovered that the
"pcp" package currently rewrites its d/control file, which causes
rebuilds of the in-archive package to produce a different result. [2]

Thanks,
Chris

[1] https://ftp-master.debian.org/REJECT-FAQ.html "debian/control

breakage #2"

[2] https://reproduce.debian.net/amd64/#pcp and

https://bugs.debian.org/1102289

(CC'ed people I expect to be interested.)

diff --git i/policy/ch-controlfields.rst w/policy/ch-controlfields.rst index 3151816..cffca22 100644
--- i/policy/ch-controlfields.rst
+++ w/policy/ch-controlfields.rst
@@ -98,7 +98,8 @@ Debian source package template control files --

``debian/control``

The ``debian/control`` file contains the most vital (and
version-independent) information about the source package and about the -binary packages it creates.
+binary packages it creates. The file must stay unchanged when building
+a package.

The first stanza of the control file contains information about the
source package in general. The subsequent stanzas each describe a

<div dir="ltr">Several packages do generate d/control:<div><a href="https://codesearch.debian.net/search?q=control.in+path%3Adebian%2Frules&amp;literal=0">https://codesearch.debian.net/search?q=control.in+path%3Adebian%2Frules&amp;literal=0</a></div><div>
<br></div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">Le lun. 7 avr. 2025 à 15:12, Simon Josefsson &lt;<a href="mailto:simon@josefsson.org">simon@josefsson.org</a>&gt; a écrit :<br></div><blockquote
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Is there any reasonable situation where modification (during build) of<br>
ANY existing files under debian/ is a good idea?<br>

I know modifying existing non-debian/ files is common to patch<br>
source-level problems, but is modifying existing debian/ files wide<br> spread?  Could anyone do a archive-wide non-root rebuild with &#39;chmod -R<br>
-w debian/&#39; with debian/ owned by some other user?<br>

/Simon<br>

Chris Hofstaedtler &lt;<a href="mailto:zeha@debian.org" target="_blank">zeha@debian.org</a>&gt; writes:<br>

&gt; Package: debian-policy<br>
&gt; X-Debbugs-CC: <a href="mailto:debian-dpkg@lists.debian.org" target="_blank">debian-dpkg@lists.debian.org</a>, <a href="mailto:ftpmaster@debian.org" target="_blank">ftpmaster@debian.org</a>, <a href="mailto:jspricke@debian.org" target="_blank">
jspricke@debian.org</a>, <a href="mailto:josch@debian.org" target="_blank">josch@debian.org</a><br>
&gt;<br>
&gt; Dear Policy Editors,<br>
&gt;<br>
&gt; it appears that currently there is no requirement for d/control to<br> &gt; stay the same before and after a build. However, many things require<br> &gt; this to be the case, and ftp-master also requires this in their<br>
&gt; reject-faq [1].<br>
&gt;<br>
&gt; Below is a minimal patch, mostly as a discussion starter. I&#39;ve<br> &gt; ponderred if listing examples of things breaking would be good, but<br> &gt; decided against it for the policy text.<br>
&gt;<br>
&gt; This change suggestion started when Jochen et al discovered that the<br> &gt; &quot;pcp&quot; package currently rewrites its d/control file, which causes<br>
&gt; rebuilds of the in-archive package to produce a different result. [2]<br> &gt;<br>
&gt;<br>
&gt; Thanks,<br>
&gt; Chris<br>
&gt;<br>
&gt;<br>
&gt; [1] <a href="https://ftp-master.debian.org/REJECT-FAQ.html" rel="noreferrer" target="_blank">https://ftp-master.debian.org/REJECT-FAQ.html</a> &quot;debian/control breakage #2&quot;<br>
&gt; [2] <a href="https://reproduce.debian.net/amd64/#pcp" rel="noreferrer" target="_blank">https://reproduce.debian.net/amd64/#pcp</a> and <a href="https://bugs.debian.org/1102289" rel="noreferrer" target="_blank">https://bugs.debian.org/1102289</a><br>
&gt;<br>
&gt; (CC&#39;ed people I expect to be interested.)<br>
&gt;<br>
&gt;<br>
&gt; diff --git i/policy/ch-controlfields.rst w/policy/ch-controlfields.rst<br> &gt; index 3151816..cffca22 100644<br>
&gt; --- i/policy/ch-controlfields.rst<br>
&gt; +++ w/policy/ch-controlfields.rst<br>
&gt; @@ -98,7 +98,8 @@ Debian source package template control files -- ``debian/control``<br>
&gt;<br>
&gt;  The ``debian/control`` file contains the most vital (and<br>
&gt;  version-independent) information about the source package and about the<br>
&gt; -binary packages it creates.<br>
&gt; +binary packages it creates. The file must stay unchanged when building<br>
&gt; +a package.<br>
&gt;<br>
&gt;  The first stanza of the control file contains information about the<br> &gt;  source package in general. The subsequent stanzas each describe a<br> &gt;<br>
&gt;<br>
</blockquote></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.policy

Is there any reasonable situation where modification (during build) of
ANY existing files under debian/ is a good idea?

I know modifying existing non-debian/ files is common to patch
source-level problems, but is modifying existing debian/ files wide
spread? Could anyone do a archive-wide non-root rebuild with 'chmod -R
-w debian/' with debian/ owned by some other user?

/Simon

Chris Hofstaedtler <zeha@debian.org> writes:

Package: debian-policy
X-Debbugs-CC: debian-dpkg@lists.debian.org, ftpmaster@debian.org, jspricke@debian.org, josch@debian.org

Dear Policy Editors,

it appears that currently there is no requirement for d/control to
stay the same before and after a build. However, many things require
this to be the case, and ftp-master also requires this in their
reject-faq [1].

Below is a minimal patch, mostly as a discussion starter. I've
ponderred if listing examples of things breaking would be good, but
decided against it for the policy text.

This change suggestion started when Jochen et al discovered that the
"pcp" package currently rewrites its d/control file, which causes
rebuilds of the in-archive package to produce a different result. [2]

Thanks,
Chris

[1] https://ftp-master.debian.org/REJECT-FAQ.html "debian/control breakage #2"
[2] https://reproduce.debian.net/amd64/#pcp and https://bugs.debian.org/1102289

(CC'ed people I expect to be interested.)

diff --git i/policy/ch-controlfields.rst w/policy/ch-controlfields.rst
index 3151816..cffca22 100644
--- i/policy/ch-controlfields.rst
+++ w/policy/ch-controlfields.rst
@@ -98,7 +98,8 @@ Debian source package template control files -- ``debian/control``

The ``debian/control`` file contains the most vital (and
version-independent) information about the source package and about the -binary packages it creates.
+binary packages it creates. The file must stay unchanged when building
+a package.

The first stanza of the control file contains information about the
source package in general. The subsequent stanzas each describe a

-----BEGIN PGP SIGNATURE-----

iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmfzzioUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFoljLAP0cNKK3SAE/ CVb7rHgIVi2YG0YSDe9oavc+zpRsok0isQD8CcK98VkEZdYTEhUstLw7kSA91VeB XLPS7gOw1/HcmwA=
=IyfD
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.policy

On Mon, Apr 07, 2025 at 03:07:54PM +0200, Simon Josefsson wrote:

Is there any reasonable situation where modification (during build) of
ANY existing files under debian/ is a good idea?

debconf template translations get usually refreshed when building a
package (doing that in the _clean_ target is a common usecase) which
totally breaks if the package maintainer uses a workflow with
out-of-tree builds. Been bitten by that.

Do we have current usecases where debian/control gets modified during
build? I think the reject-faq dates back to the days when cdbs had
significant use and ftpmaster didn't like cdbs. I have never understood
that stance and ftpmaster didnt bother to explain.

Greetings
Marc

-- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.policy

* Jérémy Lal <kapouer@melix.org> [250407 15:25]:

Several packages do generate d/control: >https://codesearch.debian.net/search?q=control.in+path%3Adebian%2Frules&literal=0

I'll note that these packages either avoid recreating d/control when
it already exists with different contents (aborting instead) or
relying on other mechanisms for the contents not to change.

I believe this would not be prohibited by the proposed wording.

Chris

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.policy

Hello,

On Mon 07 Apr 2025 at 02:08pm +02, Chris Hofstaedtler wrote:

it appears that currently there is no requirement for d/control to
stay the same before and after a build. However, many things require
this to be the case, and ftp-master also requires this in their
reject-faq [1].

Below is a minimal patch, mostly as a discussion starter. I've
ponderred if listing examples of things breaking would be good, but
decided against it for the policy text.

Usually we prefer to have some rationale, so a couple of sentences would
be good.

I also think the patch should be more specific -- exactly which d/rules
targets must not modify the contents of the file?

--
Sean Whitton

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJNBAEBCgA3FiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAmf0ieoZHHNwd2hpdHRv bkBzcHdoaXR0b24ubmFtZQAKCRBpW3rkvwZiQBykEACmtfueCR5KNNPeiGJwcoq+ oN190g6BKapYtB7wpF9VXUk1eCHAOUJeY0SDnHaNbhtk13oeln9O78XV7UHiFloh S4V9XIJR0yV3rArRQZk8pBzqDOqoGRbiBesi7veqKPjJlE8ISslT0yOm1fHY2e5i D/3RFh2tOn5guKtmg28wInpw0Yy4s6YuZB3P67a1m2ImY5+GSSrlv37zuo1e3KQ7 +VQtdTSwWndyma8CvvIYG2UMcqS4Z73qCUtgsPzuELIjZkRf65bgrQliBJCVwM1G 5v9dvkbNVC79TEtvD/JazaGnDgy4tHlUyM3burTf7z5uAbxWvdKas2A3n5HM+Ngo +POQ8Brydkmvd9yLzhwQXkjytL4hSSkn9vJmyrz28aduxhItG4r0ScNEyQKQCmuV Bf8ihvFnr9NACEoqZiCcjXCm81fjgnMu6Jc+rvptSR2WZLhvw2U9Cd3oYCqDYgoe ++TqrzwQt3vFH4zqjBOF0vfFUeBNTel1Q8yzVDsM6bS1SE0qt2E1Ni2Kr6o0hkbF TPN23qR4dPJq4BNwIP9VEuwMjcETDmrXpqmRzCLiC23gjqFNbVhP9awzO/4nIRC9 bcaj2juaFEt/uJJNMC7JHsrVX/5wPunnz8OReLWV5pL7K6ZwB90+EbpH3pXszTo8 dmUNSxR0+4e7AIYf7PdUFg==2puf
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Us

XPost: linux.debian.policy

On Mon, Apr 07, 2025 at 03:07:54PM +0200, Simon Josefsson wrote:

Is there any reasonable situation where modification (during build) of
ANY existing files under debian/ is a good idea?

I know modifying existing non-debian/ files is common to patch
source-level problems, but is modifying existing debian/ files wide
spread? Could anyone do a archive-wide non-root rebuild with 'chmod -R
-w debian/' with debian/ owned by some other user?

debhelper creates files in debian/
so maybe we should stick with the original question.

debian/control is not autogenerated, but DEBIAN/control is
(by dpkg-gencontrol). This difference should be made clear in the rationale.

Cheers,
--
Bill. <ballombe@debian.org>

Imagine a large red swirl here.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.policy

* Bill Allombert <ballombe@debian.org> [250408 09:46]:

On Mon, Apr 07, 2025 at 03:07:54PM +0200, Simon Josefsson wrote:

Is there any reasonable situation where modification (during build) of
ANY existing files under debian/ is a good idea?

I know modifying existing non-debian/ files is common to patch
source-level problems, but is modifying existing debian/ files wide
spread? Could anyone do a archive-wide non-root rebuild with 'chmod -R
-w debian/' with debian/ owned by some other user?

debhelper creates files in debian/
so maybe we should stick with the original question.

debian/control is not autogenerated, but DEBIAN/control is
(by dpkg-gencontrol). This difference should be made clear in the rationale.

I believe this is already clear from the context. The section is
titled:

Debian source package template control files -- ``debian/control``

Chris

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.maint.dpkg, linux.debian.policy

On Mon, 07 Apr 2025 at 14:08:23 +0200, Chris Hofstaedtler wrote:

it appears that currently there is no requirement for d/control to
stay the same before and after a build. However, many things require
this to be the case, and ftp-master also requires this in their
reject-faq [1].

[1] https://ftp-master.debian.org/REJECT-FAQ.html "debian/control breakage #2"

I am not a ftp team member, but I believe that point is specifically
forbidding the set of built packages from changing during the build, and
not the rest of debian/control:

- regenerating debian/control during clean to rewrite "less important"
fields like Uploaders or Description: reluctantly allowed

- regenerating debian/control during clean so it does or doesn't list
libfoo-data according to some external factor: not OK

The ``debian/control`` file contains the most vital (and
version-independent) information about the source package and about the
-binary packages it creates.
+binary packages it creates. The file must stay unchanged when building
+a package.

I think this would make several GNOME and GNOME-adjacent packages no
longer Policy-compliant. The GNOME team has historically used the gnome-pkg-tools package (dh-sequence-gnome) to generate d/control from d/control.in, with a substitution into Uploaders, during
"debian/rules clean". I'm fairly sure there are non-GNOME packages that
do similarly.

I never liked that, and the team has been phasing it out during the
trixie cycle (mostly in Jeremy Bícha's uploads), but I suspect we still
have a few less-active packages where the d/control regeneration has not
yet been removed.

I think there are some principles for handling of debian/control that we
*can* say are definitely required, which follow from how dpkg-dev and
the buildds work:

- the Build-{Depends,Conflicts}{,-Arch,-Indep} that appear in the
uploaded source package (.dsc) must be sufficient to build the
package (ref: "CDBS" in the REJECT-FAQ, and also common sense because
sbuild will only satisfy the build-dependencies at the beginning, so
by the time dpkg-buildpackage runs code from debian/rules, it's too
late to introduce new build-dependencies)
- if d/control is regenerated during build, it must not add
build-dependencies
- and if d/control is regenerated during build, it must not add
build-conflicts

- perhaps we can also say that the Build-{Depends,Conflicts}{,-Arch,-Indep}
must not change *at all* during build (ref: "CDBS" in the REJECT-FAQ)

- the binary packages built by a source must be a subset of the binary
packages listed in the uploaded .dsc (ref: "debian/control breakage #2",
and more specifically I think the ftp team require this because if it
isn't true, they lose their ability to control the binary package
namespace)

and there are some other things that I think are not RC issues, but that
I think we can say are good design principles:

- if debian/control is a generated file, it should either be generated
by the maintainer ahead of time ("make -f debian/rules control" or
similar before upload, as seen in e.g. gcc), or generated during the
clean step; it should not change during the build{,-arch,-indep} or
binary{,-arch,-indep} steps

- if debian/control is generated at build time, it should be a deterministic
function of the package contents and the build-dependencies
(because otherwise we don't have reproducible builds)

- if debian/control is generated at build time, ideally it should be a
deterministic function of the package contents only, with newer or
older build-dependencies not affecting its contents
(because otherwise we don't have a reproducible .dsc)
- note that dh-sequence-gnome Uploaders processing does not fully obey
this principle, which is one of the reasons I don't like it

- if debian/control is generated at build time, the parts of it that
can change should be limited to descriptive fields such as Uploaders
or Description, and functionally-significant fields should not change

But I think the proposed patch is too strong. As I said, I don't *like*
the GNOME team's historical regeneration of Uploaders, and I'm glad we're phasing it out, but I don't think it is or should be a Policy violation.

smcv

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.maint.dpkg, linux.debian.policy

Hello Simon,

thank you for the insights.

(I've tried to trim some context, not sure how successful I was.)

* Simon McVittie <smcv@debian.org> [250408 11:33]:

On Mon, 07 Apr 2025 at 14:08:23 +0200, Chris Hofstaedtler wrote:

[1] https://ftp-master.debian.org/REJECT-FAQ.html "debian/control breakage #2"

I am not a ftp team member, but I believe that point is specifically >forbidding the set of built packages from changing during the build,
and not the rest of debian/control:

- regenerating debian/control during clean to rewrite "less important"
fields like Uploaders or Description: reluctantly allowed

- regenerating debian/control during clean so it does or doesn't list >libfoo-data according to some external factor: not OK

The ``debian/control`` file contains the most vital (and >>version-independent) information about the source package and about the >>-binary packages it creates.
+binary packages it creates. The file must stay unchanged when building
+a package.

I think this would make several GNOME and GNOME-adjacent packages no
longer Policy-compliant. The GNOME team has historically used the >gnome-pkg-tools package (dh-sequence-gnome) to generate d/control from >d/control.in, with a substitution into Uploaders, during
"debian/rules clean". I'm fairly sure there are non-GNOME packages
that do similarly.

I never liked that, and the team has been phasing it out during the
trixie cycle (mostly in Jeremy Bícha's uploads), but I suspect we
still have a few less-active packages where the d/control regeneration
has not yet been removed.

So, these packages will have a different set of Uploaders: in the
binary packages than in the Source package?

If so, is this really a good idea? Not saying this should become a
policy violation, but I would find this surprising.

I think there are some principles for handling of debian/control that
we *can* say are definitely required, which follow from how dpkg-dev
and the buildds work:

- the Build-{Depends,Conflicts}{,-Arch,-Indep} that appear in the
uploaded source package (.dsc) must be sufficient to build the
package (ref: "CDBS" in the REJECT-FAQ, and also common sense because
sbuild will only satisfy the build-dependencies at the beginning, so
by the time dpkg-buildpackage runs code from debian/rules, it's too
late to introduce new build-dependencies)
- if d/control is regenerated during build, it must not add
build-dependencies
- and if d/control is regenerated during build, it must not add
build-conflicts

- perhaps we can also say that the Build-{Depends,Conflicts}{,-Arch,-Indep}
must not change *at all* during build (ref: "CDBS" in the REJECT-FAQ)

This thing started because a package was found that *removed* a
Build-Depends item. I think this should also be forbidden.

- the binary packages built by a source must be a subset of the binary >packages listed in the uploaded .dsc (ref: "debian/control breakage
#2", and more specifically I think the ftp team require this because
if it isn't true, they lose their ability to control the binary
package namespace)

Plus -debug packages, which are automatic.

and there are some other things that I think are not RC issues, but
that I think we can say are good design principles:

- if debian/control is a generated file, it should either be generated
by the maintainer ahead of time ("make -f debian/rules control" or
similar before upload, as seen in e.g. gcc), or generated during the
clean step; it should not change during the build{,-arch,-indep} or >binary{,-arch,-indep} steps

I think I agree. Maybe someone can point out problems with allowing
it at "clean" time.

- if debian/control is generated at build time, it should be a
deterministic function of the package contents and the
build-dependencies (because otherwise we don't have reproducible
builds)

- if debian/control is generated at build time, ideally it should be a >deterministic function of the package contents only, with newer or
older build-dependencies not affecting its contents
(because otherwise we don't have a reproducible .dsc)
- note that dh-sequence-gnome Uploaders processing does not fully
obey this principle, which is one of the reasons I don't like it

I wonder how these two options will affect reproducible builds,
and/or introduce other hard-to-detect FTBFS scenarios.

- if debian/control is generated at build time, the parts of it that
can change should be limited to descriptive fields such as Uploaders
or Description, and functionally-significant fields should not change

Assuming this means binary build time, I feel this will need a
complete list of allowed fields.

But I think the proposed patch is too strong. As I said, I don't
*like* the GNOME team's historical regeneration of Uploaders, and I'm
glad we're phasing it out, but I don't think it is or should be a
Policy violation.

Right. Generally what I want is: tools should be able to look at a
source package, and derive various parameters from it, most of them
will come from d/control (and d/changelog). If d/control changes
after the tools extracted the relevant info, this becomes messy.

Even for fields like Uploaders:, I believe various tools look at the
values of the source d/control, possibly to do NMU detection.

Chris

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.maint.dpkg, linux.debian.policy

On Tue, 08 Apr 2025 at 14:30:53 +0200, Chris Hofstaedtler wrote:

So, these packages will have a different set of Uploaders: in the
binary packages than in the Source package?

As far as I'm aware, binary packages don't have Uploaders (that field is
purely a source package thing).

But, if you take an old GNOME-team package and do a no-changes sourceful upload, debian/control gets regenerated from debian/control.in during `debian/rules clean`, and if the list of GNOME Team members in
gnome-pkg-tools has changed (or if its heuristic to decide who to put
in Uploaders has changed), the Uploaders field in the debian/control
member of the new debian.tar.xz might not be identical to the old.
Similarly, the Uploaders field in the .dsc, which ends up being copied
into the apt Sources index by the ftp team's machinery, will reflect
that change.

I agree that this is odd, and I've never been particularly comfortable
with it myself, but I don't think it is/should be a policy violation,
and the release team has generally been willing to tolerate it for the
purposes of freeze exceptions and stable updates (they do allow
documentation updates, and Uploaders is basically documentation).

If so, is this really a good idea? Not saying this should become a
policy violation, but I would find this surprising.

I don't like it either, and as far as I'm aware neither do any of the currently-active GNOME team members, but it clearly seemed like a good
idea to someone in the past.

The fact that it's surprising is why the team has been phasing out this practice, in favour of maintaining the Uploaders list by hand like most
other packages do. But I'm reasonably confident that not every package
that had the generated Uploaders list has been re-uploaded without it.
There is a relatively long tail of obsolete libraries that are no longer
used by GNOME, no longer maintained upstream and would ideally be
removed from Debian altogether, but cannot be removed yet because they
still have other packages depending on them. In general the team still
carries out minimal maintenance on those obsolete libraries to keep them
on life-support, but fixing non-critical issues in them is not anyone's top priority.

- the binary packages built by a source must be a subset of the
binary packages listed in the uploaded .dsc (ref: "debian/control >>breakage #2", and more specifically I think the ftp team require
this because if it isn't true, they lose their ability to control
the binary package namespace)

Plus -debug packages, which are automatic.

Right, but those don't really affect the ftp team's ability to control
the namespace: they've made a specific exception for those, accepting
that by allowing foobar into the archive, they are also allowing
foobar-dbgsym to exist.

smcv

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)