[SRU] backport fdroidserver 1.0.9-1 from cosmic to bionic

Bug #1758196 reported by Hans-Christoph Steiner
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
fdroidserver (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned

Bug Description

Please include fdroidserver 1.0.9-1 (universe) in Ubuntu/bionic LTS as a Stable Release Update. It can be sourced from Debian testing (main) and Ubuntu cosmic (universe).

[Impact]

We (the Debian Android Tools Team) did a bunch of testing related to the Ubuntu/bionic release. This package also received a full third party security audit after the DebianImportFreeze. Then there was a focused effort to get the full test suite running in autopkgtest. These changes were mostly done upstream. These are the final round of bugfixes from both those efforts.

This also fixes:
* https://bugs.launchpad.net/ubuntu/+source/fdroidserver/+bug/1763090
* https://bugs.launchpad.net/ubuntu/+source/fdroidserver/+bug/1762183

[Test Case]

The security issues fixed will be documented once we publicly publish the security audit report. That report includes issues in other F-Droid packages, so even though all fdroidserver issues have been fixed, we can't yet publish the full report.

The upstream dev process includes a large test suite:
https://gitlab.com/fdroid/fdroidserver/pipelines/25114656

It also now has autopkgtest passing on ARM and x86 https://autopkgtest.ubuntu.com/packages/fdroidserver

Also in Debian:
https://ci.debian.net/packages/f/fdroidserver/testing/amd64/

The test suite has never 100% passed for ppc64el and s390x, due to issues in the dependencies. Therefore, autopkgtest is still failing on those arches. Fixing them would require complicated fixes to dependencies.

[Regression Potential]

The regression potential is basically zero. Upstream focused development on making this package work well with Ubuntu/bionic, and new features have not been added since bionic has been released. The existing, extensive, upstream test suite is now run via autopkgtest. The changes were only to fix release-critical bugs. I'm also part of upstream on this package.

[Other Info]

Changelog entries since current bionic version 1.0.2-1:

fdroidserver (1.0.9-1) unstable; urgency=medium

  * New upstream version

 -- Hans-Christoph Steiner <email address hidden> Thu, 19 Jul 2018 16:14:09 +0200

fdroidserver (1.0.8-3) unstable; urgency=medium

  * hack to get autopkgtest to skip failing gpg test

 -- Hans-Christoph Steiner <email address hidden> Wed, 27 Jun 2018 21:03:54 +0200

fdroidserver (1.0.8-2) unstable; urgency=medium

  * autopkgtest: explicitly purge gnupg so tests pass

 -- Hans-Christoph Steiner <email address hidden> Mon, 25 Jun 2018 23:28:06 +0200

fdroidserver (1.0.8-1) unstable; urgency=medium

  * New upstream version
  * remove python3-distutils, it is no longer needed

 -- Hans-Christoph Steiner <email address hidden> Mon, 25 Jun 2018 13:12:21 +0200

fdroidserver (1.0.7-2) unstable; urgency=medium

  * Depends: python3-distutils so its always there

 -- Hans-Christoph Steiner <email address hidden> Mon, 25 Jun 2018 13:12:19 +0200

fdroidserver (1.0.7-1) unstable; urgency=medium

  * New upstream release
  * fix autopkgtest

 -- Hans-Christoph Steiner <email address hidden> Wed, 20 Jun 2018 22:27:59 +0200

fdroidserver (1.0.6-1) unstable; urgency=medium

  * New upstream release

 -- Hans-Christoph Steiner <email address hidden> Fri, 25 May 2018 17:15:51 +0200

fdroidserver (1.0.4-3) unstable; urgency=medium

  * fix autopkgtest run: working dir, and UTF-8 environment

 -- Hans-Christoph Steiner <email address hidden> Fri, 18 May 2018 10:54:26 +0200

fdroidserver (1.0.4-2) unstable; urgency=medium

  * run upstream testsuite using autopkgtest

 -- Hans-Christoph Steiner <email address hidden> Thu, 17 May 2018 12:17:12 +0200

fdroidserver (1.0.4-1) unstable; urgency=medium

  * New upstream version 1.0.4
  * Standards-Version: 4.1.4 no changes
  * support all the Java 10 and 11 packages
  * works with only androguard, removed optional deps
  * add debian/upstream/metadata file
  * Depends: androguard only on arches where it works

 -- Hans-Christoph Steiner <email address hidden> Tue, 15 May 2018 14:04:05 +0200

fdroidserver (1.0.3-2) unstable; urgency=medium

  * only depend on aapt/androguard/zipalign on arches where available

 -- Hans-Christoph Steiner <email address hidden> Fri, 23 Mar 2018 13:01:27 +0100

fdroidserver (1.0.3-1) unstable; urgency=medium

  * New upstream version
  * tighten up Depends to install fewer packages

 -- Hans-Christoph Steiner <email address hidden> Thu, 22 Mar 2018 23:25:49 +0100

Revision history for this message
Robie Basak (racb) wrote :

Thank you for driving this!

I'm concerned about the dependency changes and the Debian tracker suggesting that syncing this will result in installability problems. Separately though, following our IRC discussion I believe this is blocked on bug 1758199.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in fdroidserver (Ubuntu):
status: New → Confirmed
Revision history for this message
Hans-Christoph Steiner (eighthave) wrote :

The changes are large, since we were working to get the latest version into Debian in time for the Bionic Debian Import Freeze, which we narrowly missed. We've been testing against Bionic for the past couple months, so that is the target for this work.

summary: - Sync fdroidserver 1.0.3-1 (universe) from Debian unstable (main)
+ Sync fdroidserver 1.0.6-1 (universe) from Debian/testing (main)
Revision history for this message
Andreas Schildbach (schildbach) wrote : Re: Sync fdroidserver 1.0.6-1 (universe) from Debian/testing (main)

What's the plan for Bionic? The currently packaged fdroidserver 1.0.2-1 appears to be broken (unusable). Will it simply be updated to 1.0.6-1? Or will the individual bugs be fixed?

Revision history for this message
Hans-Christoph Steiner (eighthave) wrote : Re: [Bug 1758196] Re: Sync fdroidserver 1.0.6-1 (universe) from Debian/testing (main)

My plan is to get Ubuntu to accept the whole new package, since I've
been working upstream fixing Ubuntu/bionic bugs.

summary: - Sync fdroidserver 1.0.6-1 (universe) from Debian/testing (main)
+ Sync fdroidserver 1.0.8-3 (universe) from Debian/testing (main)
Revision history for this message
Hans-Christoph Steiner (eighthave) wrote : Re: Sync fdroidserver 1.0.8-3 (universe) from Debian/testing (main)

All the updates since fdroidserver 1.0.2 that are in 1.0.8-3 have been made to polish the release for bionic. So no new features, only directly related bugfixes. It also now has autopkgtest passing on ARM and x86 https://autopkgtest.ubuntu.com/packages/fdroidserver, and also in Debian: https://ci.debian.net/packages/f/fdroidserver/testing/amd64/

Revision history for this message
Hans-Christoph Steiner (eighthave) wrote :

Also, for the record, the upstream dev process includes a large test suite:
https://gitlab.com/fdroid/fdroidserver/pipelines/25114656

Revision history for this message
Hans-Christoph Steiner (eighthave) wrote :

This release fixes 1763090 and 1762183

Revision history for this message
Hans-Christoph Steiner (eighthave) wrote :
description: updated
summary: - Sync fdroidserver 1.0.8-3 (universe) from Debian/testing (main)
+ SRU fdroidserver 1.0.8-3 (universe) to bionic from cosmic or
+ Debian/testing (main)
Revision history for this message
Robie Basak (racb) wrote : Re: SRU fdroidserver 1.0.8-3 (universe) to bionic from cosmic or Debian/testing (main)

> The currently packaged fdroidserver 1.0.2-1 appears to be broken (unusable).

If this is the case, then we may not have to worry as much about regression risk to users as there aren't any users of the package in 18.04. So please could you elaborate on how exactly it's currently broken so that we (the SRU team) can assess regression risk?

Syncing backwards is generally not done - usually we need a rebuild to ensure that dependencies determined at build time can be met at runtime. Can somebody prepare, test and upload a backport to 18.04? This would have no changes except for a changelog addition if that works, with any other changes needed to make the backport work as necessary.

Revision history for this message
Hans-Christoph Steiner (eighthave) wrote :

For backports, we maintain a PPA with official releases, which includes a bionic backport that is a pure rebuild of 1.0.8-3:
* https://launchpad.net/~fdroid/+archive/ubuntu/fdroidserver/+packages?field.name_filter=fdroidserver&field.status_filter=published&field.series_filter=

We also include a full test suite run on Ubuntu LTS/bionic for all commits pushed to upstream's _master_ branch:
* https://gitlab.com/fdroid/fdroidserver/-/jobs/80758179
* https://gitlab.com/fdroid/fdroidserver/blob/1.0.8/.gitlab-ci.yml#L62

As for how it is currently broken in bionic, see:
* https://bugs.launchpad.net/ubuntu/+source/fdroidserver/+bug/1763090
* https://bugs.launchpad.net/ubuntu/+source/fdroidserver/+bug/1762183

Revision history for this message
Hans-Christoph Steiner (eighthave) wrote :
Revision history for this message
Robie Basak (racb) wrote :

I think you misunderstand me. A backport via the backports pocket (feature updates that are opt in for users) is fine. But we can also ship a backport via the updates pocket (updates that are recommended for automatic upgrade by users). In this case it looks like it'll meet the stricter requirements of the updates pocket as it'd a bugfix-only backport.

My point was that you can't do a "sync"; you have to do a "backport" of the package (by adding another changelog entry with a bug reference etc) and get that sponsored/uploaded in order for me (in the SRU team) to be able to accept it. This is distinct from the backports process, which is a separate process to provide opt-in feature enhancements.

summary: - SRU fdroidserver 1.0.8-3 (universe) to bionic from cosmic or
- Debian/testing (main)
+ SRU backport fdroidserver 1.0.8-3 from cosmic to bionic
Revision history for this message
Hans-Christoph Steiner (eighthave) wrote : Re: SRU backport fdroidserver 1.0.8-3 from cosmic to bionic

Ok, following the example of https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1770553, I hope I got it right this time. I have made a debdiff for the bugfix-only, rebuild-only, backport from Cosmic. It is just a change to the changelog with the bug numbers. It is attached.

summary: - SRU backport fdroidserver 1.0.8-3 from cosmic to bionic
+ [SRU] backport fdroidserver 1.0.8-3 from cosmic to bionic
Revision history for this message
Hans-Christoph Steiner (eighthave) wrote :

I made an upstream 1.0.9 release with a couple of key bugs we just found in a big round of testing. I included this fixes upstream so there is also a stable release in the other channels. The target platform for the 1.0.9 release is still Ubuntu/bionic.

description: updated
summary: - [SRU] backport fdroidserver 1.0.8-3 from cosmic to bionic
+ [SRU] backport fdroidserver 1.0.9-1 from cosmic to bionic
Revision history for this message
Hans-Christoph Steiner (eighthave) wrote :

Changing the version based on apw's recommended version: "a quick look says your version number is suspect, as that would be higher than cosmic, 1.0.9-1~18.04.1 would be fine I think"

Revision history for this message
Andy Whitcroft (apw) wrote :

Reviewed and sponsored to bionic-proposed.

Revision history for this message
Robie Basak (racb) wrote : Please test proposed package

Hello Hans-Christoph, or anyone else affected,

Accepted fdroidserver into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fdroidserver/1.0.9-1~18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in fdroidserver (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-bionic
Changed in fdroidserver (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Hans-Christoph Steiner (eighthave) wrote :

Tested upgrading from 1.0.2-1 and ran the full test suite. This was in a chroot starting with a minimal install.

tags: added: verification-done-bionic
removed: verification-needed verification-needed-bionic
Revision history for this message
Hans-Christoph Steiner (eighthave) wrote :

Both tags are now switched to done, I think that's the correct thing to do, since this SRU only affects bionic.

tags: added: verification-needed
tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package fdroidserver - 1.0.9-1~18.04.1

---------------
fdroidserver (1.0.9-1~18.04.1) bionic; urgency=medium

  * Backport from Cosmic. (LP: #1758196)
  * fix broken openjdk dependency (LP: #1763090)
  * fix missing Python distutils dependency (LP: #1762183)

fdroidserver (1.0.9-1) unstable; urgency=medium

  * New upstream version

fdroidserver (1.0.8-3) unstable; urgency=medium

  * hack to get autopkgtest to skip failing gpg test

fdroidserver (1.0.8-2) unstable; urgency=medium

  * autopkgtest: explicitly purge gnupg so tests pass

fdroidserver (1.0.8-1) unstable; urgency=medium

  * New upstream version
  * remove python3-distutils, it is no longer needed

fdroidserver (1.0.7-2) unstable; urgency=medium

  * Depends: python3-distutils so its always there

fdroidserver (1.0.7-1) unstable; urgency=medium

  * New upstream release
  * fix autopkgtest

fdroidserver (1.0.6-1) unstable; urgency=medium

  * New upstream release

fdroidserver (1.0.4-3) unstable; urgency=medium

  * fix autopkgtest run: working dir, and UTF-8 environment

fdroidserver (1.0.4-2) unstable; urgency=medium

  * run upstream testsuite using autopkgtest

fdroidserver (1.0.4-1) unstable; urgency=medium

  * New upstream version 1.0.4
  * Standards-Version: 4.1.4 no changes
  * support all the Java 10 and 11 packages
  * works with only androguard, removed optional deps
  * add debian/upstream/metadata file
  * Depends: androguard only on arches where it works

fdroidserver (1.0.3-2) unstable; urgency=medium

  * only depend on aapt/androguard/zipalign on arches where available

fdroidserver (1.0.3-1) unstable; urgency=medium

  * New upstream version
  * tighten up Depends to install fewer packages

 -- Hans-Christoph Steiner <email address hidden> Tue, 10 Jul 2018 21:12:38 +0200

Changed in fdroidserver (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for fdroidserver has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.