1

I'm trying to build the newest snmp packages on debian jessie.

However, https://packages.debian.org/jessie/snmp seems to show conflicting information. The page heading reads:

Package: snmp (5.7.2.1+dfsg-1+deb8u1 and others) [security]

And the link to the source package, net-snmp_5.7.2.1+dfsg-1+deb8u1.dsc has the exact same version string.

But towards the bottom, under "Download snmp", one can download version 5.7.2.1+dfsg-1+deb8u1+b1. Where does the +b1-suffix in the downloadable version come from?

http://security.debian.org/dists/jessie/updates/main/binary-amd64/Packages.gz

seems to agree that the downloadable version contains +b1 but the source package version doesn't:

> curl http://security.debian.org/dists/jessie/updates/main/binary-amd64/Packages.gz 2>/dev/null | zgrep -A 2 '^Package: snmp$' 
Package: snmp
Source: net-snmp (5.7.2.1+dfsg-1+deb8u1)
Version: 5.7.2.1+dfsg-1+deb8u1+b1

When I try to build the packages from source with dget http://security.debian.org/debian-security/pool/updates/main/n/net-snmp/net-snmp_5.7.2.1+dfsg-1+deb8u1.dsc and cowbuilder I get packages built with file names like this: snmp_5.7.2.1+dfsg-1+deb8u1_amd64.deb (without the +b1 in the version), just as I would expect. I've grepped fro b1 in the unpacked net-snmp-5.7.2.1+dfsg folder generated by dget and don't find anything that should append +b1 to the package name.

I've also tried to clone git://anonscm.debian.org/pkg-net-snmp/pkg-net-snmp.git which is mentioned by net-snmp-5.7.2.1+dfsg/debian/control but there are no tags for either version. The most relevant tag seems to be debian/5.7.2.1+dfsg-1 without even the +deb8u1. Never mind.

So how do I build the 5.7.2.1+dfsg-1+deb8u1+b1 version of the snmp packages that apt wants to install? Do I have the right version of the source package? If not, where should I get it?

Peter V. Mørch
  • 812
  • 7
  • 15

1 Answers1

1

Do I have the right version of the source package? If not, where should I get it?

This is how you download the sources for any package on any debian-derived distribution:

 apt-get source package

It does not matter what websity X or Y says - they could be outdated, refer to different repositories than configured on your system, etc etc.. let apt figure out the details (and, perhaps more important: the verification of signatures).

About the +b# suffix, which is explained here, it is not relevant in this context, as it does not indicate a change in the source package. It is merely there to notify the package managers to upgrade the binary - a binary produced from the unchanged source but with potentially changed build environment.

What happens to change logs? The release team can push the change log in their wanna-build request, so after the next release, there might be no trace of the +b# versions:

binNMUs don't need to be acknowledged in your source changelog afterwards, whereas NMUs typically are. - debian wiki

anx
  • 6,875
  • 4
  • 22
  • 45
  • Thank you for your answer. It does tell me that I have the correct source package. Comparing `apt-get source snmp` and `dget ...net-snmp_5.7.2.1+dfsg-1+deb8u1.dsc` with `diff -r` shows that they generate *exactly* the same thing - both without `+b#` anywhere. [Recompilation or binary-only NMU](https://unix.stackexchange.com/questions/90012/what-do-b-packages-versions-mean-in-debian) linked to link in @anx's answer, says that "Despite the required modification of the changelog, these are called binary-only NMUs", so I guess rebuilding them will require a local manual edit of the changlog. – Peter V. Mørch Apr 06 '18 at 14:04
  • It's also important to never download directly but instead use an apt-get command: it will validate the downloaded file using signed checksums. Any other method is prone to mitm interception, which is easy considering most repositories don't (have to) use https (and anyway https doesn't tell if the mirror would give Debian's original file) – A.B Apr 06 '18 at 17:49