Duplicate Debian packages with matching name-version-arch problem
Vagrant Cascadian
vagrant at reproducible-builds.org
Mon Jan 26 16:50:16 UTC 2026
On 2026-01-26, Holger Levsen wrote:
> On Tue, Jan 06, 2026 at 02:44:00PM -0800, Vagrant Cascadian wrote:
>> So, .buildinfo files in Debian record the package name, version and
>> architecture of the build-dependencies (and perhaps a bit more), but
>> there are corner cases where multiple artifacts have the same name,
>> version and architecture:
>> https://lists.debian.org/debian-snapshot/2025/10/msg00002.html
>
> #1072205 'dak: prevent re-using package versions' has been filed to migate this
> problem, which IMHO exists because of #894441 'binNMUs should be replaced by easy
> "no-change-except-debian/changelog-uploads"' still hasnt been addressed, though
> there is also #599128 'buildd.debian.org: binNMUing in !unstable error-prone'.
Indeed!
I *think* there is still an additional problem with the security uploads
getting imported into the SUITE-proposed-updates, which is briefly
mentioned in the bug report you pointed to
https://bugs.debian.org/1072205
But "just" stopping doing Debian's quirky binNMUs seems like the
simplest approach, and solves numerous other issues for good measure
(e.g. multi-arch drift, arch:all drift, etc.). We could almost just do
it, as an organization, by deciding not to use the historic footguns
anymore, though they are pretty entrenched in some workflows. :|
... though these issues are getting to be very Debian specific. :)
live well,
vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20260126/0227d78c/attachment.sig>
More information about the rb-general
mailing list