Monero package maintenance cadence

As many are probably aware, the Monero protocol recently updated. This would be fine, except there were misplaced transactions in the blockchain, causing many nodes to become locked. Looking at the speed of the Whonix repository, it appears that it takes some amount of time to push packages through, I saw it happen with the initial release of 0.17, and now it appears it will happen again with the patch coming upstream from the Monero core team.

I am wanting to start contributing more to open source, so I am wondering if it is possible to contribute to package management after I figure out how this works. How are packages handled in Whonix? Can you push packages at any time, providing they meet any internal standards, or is it more complex?

Where should I start?

You’d need to have experience with Debian packaging standards. Have experience in compiling low level code. There would also need to be other community members who do auditing and reproducible compilations of the package because trust in a cryptocurrency daemon is no trivial manner.

Updated just now.

I probably have more answers soonish.

At the core of your question if the package upload and build can be helped… Currently no. We don’t have any package build server that would allow for collaborative package maintenance, reproducible builds, verification, etc.

Download, OpenPGP verification, git commands, package build commands, repository management commands is somewhat automated but still a lot manual steps and further automation is difficult.

https://www.whonix.org/wiki/Dev/Build_Documentation/security-misc/easy

If someone wanted to help, I posted a lot ideas here:

Looking closer, it appears that every Monero 0.17 release has not been able to produce a GUI and CLI package simultaneously. Should I be looking toward this delay upstream instead? Though it seems there was still a noticeable lapse in time after a GUI package was produced before entering the Whonix repository, but there were no critical issues to address then.

TamaraneanGirl via Whonix Forum:

Looking closer, it appears that every Monero 0.17 release has not been able to produce a GUI and CLI package simultaneously.

There where never separate GUI and CLI packages.

https://ccs.getmonero.org/proposals/adrelanos-debian-package.html

Should I be looking toward this delay upstream instead?

To do what?

Though it seems there was still a noticeable lapse in time after a GUI package was produced before entering the Whonix repository, but there were no critical issues to address then.

If there’s no critical issue, there’s no hurry. And it’s also prudent to
wait a bit for the dust to settle in case there are any reports of major
regressions.

I was talking about the upstream monero-project, not the Whonix Debian repository packages. I did further reading, and it now makes sense that you would not be able to package the complete monero-gui packages without the corresponding GUI from upstream, as monero-gui is just a Debian package wrapper of the binaries from getmonero.org.

The critical issue was that anyone that ran a Monero node prior to syncing block 2210720 of the blockchain, could get stuck as the next block would be considered invalid by the monerod software. There was an upstream patch issued in release 0.17.1.1.

Getting back to the Whonix Debian packages, seeing as it is a general purpose package, not intended for Whonix itself, but included nonetheless, anyone who relies on the package from the Whonix repository to run a node, would have an issue.

Is there any directive from upstream on how fast upgrades must be usually installed? This time seems kinda a tight time table from upgrade to broken sync.