freeipa team mailing list archive

Thread
Date
[Bug 2032650] Re: Add DEP8 tests for bind-dyndb-ldap integration

To: freeipa@xxxxxxxxxxxxxxxxxxx
From: Andreas Hasenack <2032650@xxxxxxxxxxxxxxxxxx>
Date: Fri, 08 Sep 2023 12:35:28 -0000
Reply-to: Bug 2032650 <2032650@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
** Description changed:

+ [ Impact ]
+ 
  bind-dyndb-ldap breaks very frequently with bind9 updates. Both must
  have DEP8 tests so these breakages can be caught before a release.
+ 
+ [ Test Plan ]
+ 
+ For both packages, the test plan consists in having the new dyndb-ldap
+ DEP8 test run and succeed.
+ 
+ [ Where problems could occur ]
+ With this new DEP8 change, a bind9 update can be blocked by a bind-dyndb-ldap failure to build or run with it.
+ 
+ While this is exactly the intent (not leave a broken bind-dyndb-ldap
+ package in the release), there is a history indicating that bind-dyndb-
+ ldap can be late in catching up to bind9 changes. We may reach a
+ situation where an important bind9 security update, for example, will be
+ blocked by a failing dyndb-ldap test, and it may be difficult to fix
+ bind-dyndb-ldap in time, specially if the security update is under
+ embargo and the bind-dyndb-ldap developers do not yet have details of
+ the changes.
+ 
+ 
+ [ Other Info ]
+  
+ The same test is to be applied to the bind9 package, and is already in mantic. But SRUs for DEP8 changes only are frowned upon, so the plan is to upload it to proposed and block it there, but AFTER bind-dyndb-ldap has been released.
+ 
+ The tight coupling between bind9 and bind-dyndb-ldap is problematic (see
+ [1], [2] and [3]). The moment a new bind9 hits proposed with this test,
+ it fill fail until a new bind-dyndb-ldap is rebuilt with that proposed
+ version.
+ 
+ One option would perhaps to accept a one-time DEP8-only change for
+ bind9, so that we can upload both packages together, instead of leaving
+ this in proposed with a blocking tag, to be picked up by the next bind9
+ "real" update?
+ 
+ 
+ 1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014503
+ 2. https://pagure.io/bind-dyndb-ldap/issue/225
+ 3. https://salsa.debian.org/dns-team/bind9/-/merge_requests/21

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to bind-dyndb-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/2032650

Title:
  Add DEP8 tests for bind-dyndb-ldap integration

Status in bind-dyndb-ldap package in Ubuntu:
  Fix Released
Status in bind9 package in Ubuntu:
  Fix Released
Status in bind-dyndb-ldap source package in Jammy:
  In Progress
Status in bind9 source package in Jammy:
  New
Status in bind-dyndb-ldap source package in Lunar:
  In Progress
Status in bind9 source package in Lunar:
  New
Status in bind-dyndb-ldap source package in Mantic:
  Fix Released
Status in bind9 source package in Mantic:
  Fix Released

Bug description:
  [ Impact ]

  bind-dyndb-ldap breaks very frequently with bind9 updates. Both must
  have DEP8 tests so these breakages can be caught before a release.

  [ Test Plan ]

  For both packages, the test plan consists in having the new dyndb-ldap
  DEP8 test run and succeed.

  [ Where problems could occur ]
  With this new DEP8 change, a bind9 update can be blocked by a bind-dyndb-ldap failure to build or run with it.

  While this is exactly the intent (not leave a broken bind-dyndb-ldap
  package in the release), there is a history indicating that bind-
  dyndb-ldap can be late in catching up to bind9 changes. We may reach a
  situation where an important bind9 security update, for example, will
  be blocked by a failing dyndb-ldap test, and it may be difficult to
  fix bind-dyndb-ldap in time, specially if the security update is under
  embargo and the bind-dyndb-ldap developers do not yet have details of
  the changes.

  
  [ Other Info ]
   
  The same test is to be applied to the bind9 package, and is already in mantic. But SRUs for DEP8 changes only are frowned upon, so the plan is to upload it to proposed and block it there, but AFTER bind-dyndb-ldap has been released.

  The tight coupling between bind9 and bind-dyndb-ldap is problematic
  (see [1], [2] and [3]). The moment a new bind9 hits proposed with this
  test, it fill fail until a new bind-dyndb-ldap is rebuilt with that
  proposed version.

  One option would perhaps to accept a one-time DEP8-only change for
  bind9, so that we can upload both packages together, instead of
  leaving this in proposed with a blocking tag, to be picked up by the
  next bind9 "real" update?

  
  1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014503
  2. https://pagure.io/bind-dyndb-ldap/issue/225
  3. https://salsa.debian.org/dns-team/bind9/-/merge_requests/21

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2032650/+subscriptions