Package rebuilds for gcc bug https://bugzilla.redhat.com/show_bug.cgi?id=634757

[Jesse Keating]

On 10/5/10 3:27 PM, Jesse Keating wrote:
> As you might be aware, there was a period of roughly two weeks where a
> gcc build (gcc-4.5.1-3.fc14) in the buildroots for both Fedora 14 and
> Fedora 15.  Items built with this could have undefined behavior, which
> could lead to data corruption.
> 
> Unfortunately I'm told that it is impossible to look at a generated
> binary and detect whether or not the binary would be effected by this
> bug.  The only reliable way to tell would be to re-create the build
> environment exactly, except replace GCC with one that will detect the
> error scenario and print something.  As this is a significant amount of
> work, I decided instead to just rebuild the potential problem builds.
> 
> I detected all the "latest" builds of packages that had gcc-4.5.1-3.fc14
> in the buildroot, and then further narrowed it down to things which
> require rtld(GNU_HASH) to find the things that actually used gcc (since
> gcc gets thrown in every buildroot anyway).
> 
> For Fedora 15 this was a simple task.  Just find the packages where the
> latest build is "bad", bump it and rebuild it.  End of story.  This work
> is already done (except that a few have failed, and I need to follow up
> on those).
> 
> For Fedora 14 the matter is much more complicated.  Builds are spread
> out across 3 main tags, dist-f14, dist-f14-updates-testing, and
> dist-f14-updates-candidate.
> 
> dist-f14 is things that have made it through bodhi as stable.
> 
> dist-f14-updates-testing is for things which are currently in
> updates-testing
> 
> dist-f14-updates-candidate is for things which could potentially become
> an update should the maintainer decide.
> 
> To handle the F14 scene I've come up with this strategy:
> * For things tagged in dist-f14 and no newer build elsewhere, do a bump,
> build and tag directly into dist-f14.  While there is some risk of
> breakage, it is quite minimal and with discussion from QA we are willing
> to take that chance.  This work is ongoing.
> 
> * For things tagged in dist-f14-updates-testing, do a bump, build and
> then edit the bodhi ticket to add the new build, and re-push to
> updates-testing.  This work will begin soon.
> 
> * for things tagged in dist-f14-updates-candidate, do a bump and build.
>  Then look for an open bodhi ticket for that package, adjusting as
> needed.  If no bodhi ticket is found, do not create a new one, just
> leave the build as is.  This work will begin soon.
> 
> Using this strategy we should be able to replace potentially bad builds
> with corrected ones wherever they might have been published (barring the
> failed builds).  This message is mostly a heads up as to what's happening.

Now that F14 has shipped and other emergencies have been dealt with, I
got back into this task.

Unfortunately as time has gone on, there is now builds in
dist-f14-updates to deal with as well as dist-f14, so I wanted to ping
the list before I continue.

I've identified a number of published builds that are still potentially
broken in the F14 family, and have fixed builds for many of them.  The
real question is what to do with things in dist-f14 or dist-f14-updates
that are potentially bad.

What we did with the first round was to just tag the rebuilds on top of
the previous build, if nothing else had changed.  This was deemed safe
enough to bypass updates-testing.  That was pre-release though, we're
not post-release, does this thought still stand?

We could tag things directly into dist-f14-updates, bypassing bodhi or
we could create new bodhi update requests for each item and either get
karma or wait for the timeout.  We're talking about 72 update requests
that could be filed right now.

There are also a few packages where a "fixed" build doesn't exist yet
due to errors.  Those need closer examination.

Finally we have some builds that are in -testing that are potentially
bad.  I've replaced those with good builds and re-sent them back to
-testing, the maintainer can choose to push them stable at will.

Here is a list of the current known potentially bad builds and what
action could be or has been taken:

wireshark - Update pending
wildmidi - my rebuild can be tagged
usermode - my build can be tagged
tigervnc - my build can be tagged
tecnoballz - my build can be tagged
tar - Update in testing
syncevolution - update in testing
spamass-milter - my build can be tagged
shiboken - my build can be tagged
rtpproxy - my build can be tagged
raul - my build can be tagged
python-storm - my build can be tagged
python-crypto - my build can be tagged
python - potential update in -candidate; pinged dmalcolm
pycryptopp - my build can be tagged.
pspp - my build can be tagged
plee-the-bear - my build can be tagged
perl-Text-Hunspell - my build can be tagged
openchange - my build can be tagged
nxtrc - my build can be tagged
nasm - update in testing
mutter-moblin - my build can be tagged (and tag into dist-f15)
mutt - my build can be tagged
moblin-panel-status - my build can be tagged
moblin-panel-people - my build can be tagged
moblin-panel-myzone - my build can be tagged
moblin-panel-applications - my build can be tagged
minicom - my build can be tagged
midori - my build can be tagged
meego-panel-datetime - update in testing
matahari - my build can be tagged
libvte-java - spots build can be tagged
libunicapgtk - my build can be tagged
libselinux - update in testing
libpst - my build can be tagged
libnxt - my build can be tagged
libnfc - my build can be tagged
libmutil - my build can be tagged
liblastfm - my build can be tagged
libgtk-java - no build
libgnome-java - no build
libglade-java - no build
libclaw - my build can be tagged
libass - my build can be tagged
lensfun - my build can be tagged
ledger - my build can be tagged
koffice - my build can be tagged
jana - my build can be tagged
jack_capture - my build can be tagged
gtk+extra - my build can be tagged
gstreamer-plugins-bad-free - my build can be tagged
gridsite - my build can be tagged
gretl - update in testing
gnustep-examples - my build can be tagged
glib-java - my build can be tagged
ghostscript - update in candidate, ping owner
ghc-terminfo - my build can be tagged
ghc-pango - my build can be tagged
ghc-gio - no build
ghc-Boolean - my build can be tagged
generatorrunner - my build can be tagged
gedit-vala - my build can be tagged
gcc - update in -candidate, ping jakub
gappa - my build can be tagged
fuse-convmvfs - my build can be tagged
frepple - my build can be tagged
folks - my build can be tagged
flowcanvas - my build can be tagged
elfutils - my build can be tagged
dssi - my build can be tagged
dspam - my build can be tagged
contacts - my build can be tagged
clutter-gtk - fixed build in updates
clutter - my build can be tagged
chktex - my build can be tagged
celt - my build can be tagged
ccache - my build can be tagged
calf - my build can be tagged
bluefish - update in testing
awn-extras-applets - my build can be tagged
avr-gcc - my build can be tagged
atanks - my build can be tagged
apiextractor - my build can be tagged
apcupsd - my build can be tagged
R-ROC - my build can be tagged
http-parser - my build can be tagged
libeio - my build can be tagged
setuptool - my build can be tagged
mailman - update in testing
ldc - removed from updates-testing
igraph - update in testing
busybox - update in testing

-- 
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating