After submitting an asterisk version with a version lower than the previous one, the packaging-farm created an inconsistent repository. The existing version was
and the version being submitted was
According to dpkg –compare-versions, the version being submitted is actually older than the release candidate -rc2, because – is after + lexicographicaly. This is a mistake and should be replaced by a version number that is higher than the -rc2. But packaging-farm silently ignored the problem and created a bugous package, mixing the sources being submitted with a version number coming from the existing version.A safeguard was added and packaging-farm will now abort with an error message explaining the error and suggesting a course of action.
The 2.0.15 was published and installed on the gallifrey, gallifrey-dev and skaro build machines.
Safeguard against downgrades in XIVO packages
The following use case creates a confusing situation:
- package-1.1-1 is submitted to the farm and successfully built
- package-1.0-1 is submitted to the farm : it is a version lower than the one already built
- packaging-farm creates package-1.1-1+build1 instead of package-1.0-1
- the .orig.tar.gz is package-1.0.orig.tar.gz and a package-1.1.tar.gz is created
Although building an older version of a package is not desirable, it should not claim to succeed while creating a package inconsistent with the orig.tar.gz file.
The source of the problem comes from the logic that adds a +buildX to the debian version of a package when a package is rebuilt (for instance because a package it depends on has been rebuilt). When this logic was implemented, the possibility that a package with a lower version number than a previously built package could be submitted was overlooked. It is not the normal behavior and should be treated as an error. Instead, it was ignored and lead to confusing results as described in the bug report.
The general rule is that the packaging-farm should refuse to build a package with a version lower than a previously build package. The goal is to prevent downgrades because the installation scripts are not designed for downgrades. However, this general rule cannot be applied just by comparing the versions of the existing package ( as found in /var/lib/packaging-farm ) and the current package ( as found in /var/cache/packaging-farm/source ). When a package is rebuilt, the +buildX suffix will always make the existing package more recent than the current package. The check must therefore proceed in two steps: first check if the existing package is more recent and then throw an error if the reason why it is more recent is not just because there is a +buildX appended to it.
The associated patch also moves the extraction of the existing package version from the makefile to the debuild.sh script. That avoids duplicating the logic. It also gives the debuild.sh script the name of the original dsc file in order to print a meaningfull error message.