From 8cf0efd9eef8c63420589bcdfc4f3692cbd30398 Mon Sep 17 00:00:00 2001
From: Markus Fritsche <mfritsche@reauktion.de>
Date: Wed, 20 May 2026 15:57:18 +0200
Subject: [PATCH 1/3] build.yml: route 4 fourier-debian jobs to debian-aarch64
 (bohr)

Native trixie execution avoids the cross-distro ABI skew issues we
hit when building libva-v4l2-request-fourier-debian on Arch (PR #44):
__vaDriverInit_1_23 vs trixies libva 2.22 binding. The same hazard
applies to other fourier-debian jobs that link against debian libs.

Jobs moved from runs-on: arch-aarch64 -> debian-aarch64:
- ffmpeg-v4l2-request-debian
- mpv-fourier-debian
- daedalus-v4l2-debian
- daedalus-v4l2-dkms-debian

Left alone (arch=all, no native compile against debian libs):
- lmcp-debian
- claude-his-debian

Depends on PR #46 (runs-on uses bohrs LABEL, not runner-name).
---
 .gitea/workflows/build.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml
index b30dd73b2..815777a8d 100644
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -906,7 +906,7 @@ jobs:
   # -------------------------------------------------------------------------
   ffmpeg-v4l2-request-debian:
     needs: ffmpeg-v4l2-request-aarch64
-    runs-on: arch-aarch64
+    runs-on: debian-aarch64
     continue-on-error: true
     steps:
       - uses: actions/checkout@v4
@@ -1045,7 +1045,7 @@ jobs:
   # -------------------------------------------------------------------------
   mpv-fourier-debian:
     needs: mpv-fourier-aarch64
-    runs-on: arch-aarch64
+    runs-on: debian-aarch64
     continue-on-error: true
     steps:
       - uses: actions/checkout@v4
@@ -1131,7 +1131,7 @@ jobs:
   # -------------------------------------------------------------------------
   daedalus-v4l2-debian:
     needs: claude-his-debian
-    runs-on: arch-aarch64
+    runs-on: debian-aarch64
     continue-on-error: true
     steps:
       - uses: actions/checkout@v4
@@ -1220,7 +1220,7 @@ jobs:
   # -------------------------------------------------------------------------
   daedalus-v4l2-dkms-debian:
     needs: daedalus-v4l2-debian
-    runs-on: arch-aarch64
+    runs-on: debian-aarch64
     continue-on-error: true
     steps:
       - uses: actions/checkout@v4
-- 
2.47.3


From dfdee756684a985598a15238b70b199ad3c13a30 Mon Sep 17 00:00:00 2001
From: Markus Fritsche <mfritsche@reauktion.de>
Date: Wed, 20 May 2026 16:32:36 +0200
Subject: [PATCH 2/3] debian/*/build-deb.sh: add curl timeouts (10s connect,
 600s total, 3 retries)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Without timeouts, a slow/dead-TCP upstream (e.g. github tarballs)
hangs the runner indefinitely.  Today run 15185 mpv-fourier-debian
sat 6+ min on "curl -sSLfo mpv.tar.gz https://github.com/.../mpv-0.41.0.tar.gz"
with no progress visible — fermis act_runner blocked, slot unusable
for parallel work.

--connect-timeout 10  fails fast if upstream is unreachable
--max-time 600        caps worst-case at 10 min per fetch
--retry 3             handles transient flakes
--retry-delay 5       gives transient outages a moment

Patched in: claude-his-agent, daedalus-v4l2, daedalus-v4l2-dkms,
libva-v4l2-request-fourier, lmcp, mpv-fourier.  ffmpeg-v4l2-request-fourier
has no curl call.
---
 debian/claude-his-agent/build-deb.sh           | 2 +-
 debian/daedalus-v4l2-dkms/build-deb.sh         | 2 +-
 debian/daedalus-v4l2/build-deb.sh              | 2 +-
 debian/libva-v4l2-request-fourier/build-deb.sh | 2 +-
 debian/lmcp/build-deb.sh                       | 2 +-
 debian/mpv-fourier/build-deb.sh                | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/debian/claude-his-agent/build-deb.sh b/debian/claude-his-agent/build-deb.sh
index 3215a75cc..9ce847a10 100755
--- a/debian/claude-his-agent/build-deb.sh
+++ b/debian/claude-his-agent/build-deb.sh
@@ -16,7 +16,7 @@ work=$(mktemp -d)
 trap "rm -rf $work" EXIT
 
 cd "$work"
-curl -sSLfo his.tar.gz \
+curl --connect-timeout 10 --max-time 600 --retry 3 --retry-delay 5 -sSLfo his.tar.gz \
     "https://git.reauktion.de/marfrit/claude-his-agent/archive/v${PKGVER}.tar.gz"
 echo "$HIS_TARBALL_SHA256  his.tar.gz" | sha256sum -c
 tar xzf his.tar.gz
diff --git a/debian/daedalus-v4l2-dkms/build-deb.sh b/debian/daedalus-v4l2-dkms/build-deb.sh
index 342fd4f4d..0240d2be9 100755
--- a/debian/daedalus-v4l2-dkms/build-deb.sh
+++ b/debian/daedalus-v4l2-dkms/build-deb.sh
@@ -28,7 +28,7 @@ work=$(mktemp -d)
 trap "rm -rf $work" EXIT
 
 cd "$work"
-curl -sSLfo daedalus-v4l2.tar.gz \
+curl --connect-timeout 10 --max-time 600 --retry 3 --retry-delay 5 -sSLfo daedalus-v4l2.tar.gz \
     "https://git.reauktion.de/reauktion/daedalus-v4l2/archive/${UPSTREAM_COMMIT}.tar.gz"
 tar xzf daedalus-v4l2.tar.gz
 SRCDIR=daedalus-v4l2
diff --git a/debian/daedalus-v4l2/build-deb.sh b/debian/daedalus-v4l2/build-deb.sh
index b9db05535..a5193d014 100755
--- a/debian/daedalus-v4l2/build-deb.sh
+++ b/debian/daedalus-v4l2/build-deb.sh
@@ -28,7 +28,7 @@ work=$(mktemp -d)
 trap "rm -rf $work" EXIT
 
 cd "$work"
-curl -sSLfo daedalus-v4l2.tar.gz \
+curl --connect-timeout 10 --max-time 600 --retry 3 --retry-delay 5 -sSLfo daedalus-v4l2.tar.gz \
     "https://git.reauktion.de/reauktion/daedalus-v4l2/archive/${UPSTREAM_COMMIT}.tar.gz"
 tar xzf daedalus-v4l2.tar.gz
 SRCDIR=daedalus-v4l2
diff --git a/debian/libva-v4l2-request-fourier/build-deb.sh b/debian/libva-v4l2-request-fourier/build-deb.sh
index 26c4fdb9a..34be619f6 100755
--- a/debian/libva-v4l2-request-fourier/build-deb.sh
+++ b/debian/libva-v4l2-request-fourier/build-deb.sh
@@ -27,7 +27,7 @@ work=$(mktemp -d)
 trap "rm -rf $work" EXIT
 
 cd "$work"
-curl -sSLfo libva-fourier.tar.gz \
+curl --connect-timeout 10 --max-time 600 --retry 3 --retry-delay 5 -sSLfo libva-fourier.tar.gz \
     "https://git.reauktion.de/marfrit/libva-v4l2-request-fourier/archive/${UPSTREAM_COMMIT}.tar.gz"
 tar xzf libva-fourier.tar.gz
 SRCDIR=$(echo libva-v4l2-request-fourier)
diff --git a/debian/lmcp/build-deb.sh b/debian/lmcp/build-deb.sh
index 330af8c1e..cad0d3b87 100755
--- a/debian/lmcp/build-deb.sh
+++ b/debian/lmcp/build-deb.sh
@@ -23,7 +23,7 @@ work=$(mktemp -d)
 trap "rm -rf $work" EXIT
 
 cd "$work"
-curl -sSLfo lmcp.tar.gz "https://git.reauktion.de/marfrit/lmcp/archive/${UPSTREAM_TAG}.tar.gz"
+curl --connect-timeout 10 --max-time 600 --retry 3 --retry-delay 5 -sSLfo lmcp.tar.gz "https://git.reauktion.de/marfrit/lmcp/archive/${UPSTREAM_TAG}.tar.gz"
 echo "$LMCP_TARBALL_SHA256  lmcp.tar.gz" | sha256sum -c
 tar xzf lmcp.tar.gz
 
diff --git a/debian/mpv-fourier/build-deb.sh b/debian/mpv-fourier/build-deb.sh
index 5881b5a03..007f7521e 100755
--- a/debian/mpv-fourier/build-deb.sh
+++ b/debian/mpv-fourier/build-deb.sh
@@ -33,7 +33,7 @@ work=$(mktemp -d)
 trap "rm -rf $work" EXIT
 
 cd "$work"
-curl -sSLfo mpv.tar.gz \
+curl --connect-timeout 10 --max-time 600 --retry 3 --retry-delay 5 -sSLfo mpv.tar.gz \
     "https://github.com/mpv-player/mpv/archive/v${MPV_VERSION}/mpv-${MPV_VERSION}.tar.gz"
 echo "$MPV_TARBALL_SHA256  mpv.tar.gz" | sha256sum -c
 tar xzf mpv.tar.gz
-- 
2.47.3


From 7570d2daab66a952bd4b58eccbc33f36a207e1ca Mon Sep 17 00:00:00 2001
From: Markus Fritsche <mfritsche@reauktion.de>
Date: Wed, 20 May 2026 16:37:30 +0200
Subject: [PATCH 3/3] check-already-published.sh: use dpkg vercmp for debian
 (skip when pool >= source)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Old logic curl-HEAD-checked an exact pkgname_pkgver-pkgrel_arch.deb URL.
That breaks when source PKGREL has rolled back below pools current head:
reprepro rejects the lower-version upload but our exact-URL check still
404s, so CI rebuilds the package on EVERY push without ever updating
the pool — endless rebuild trap.

New logic parses the canonical Packages index (what apt consults) and
uses dpkg --compare-versions to skip iff pool >= source.

Pool view today:
- ffmpeg-v4l2-request-fourier: pool=2:8.1+rfourier+gb57fbbe-4 vs
                               source=2:8.1+rfourier+gb57fbbe-2
                               4 >= 2 → skip (was: 404 → rebuild)
- mpv-fourier:                 pool=1:0.41.0+rfourier-3 vs
                               source=1:0.41.0+rfourier-1
                               3 >= 1 → skip (was: 404 → rebuild)

set +o pipefail before the curl|awk pipeline — awks early `exit`
closes the pipe, curl gets SIGPIPE and returns 23 ("Failure writing
output"), which under our pipefail/-e header aborts the script with
empty pool_ver. Localised pipefail-off keeps the global -euo behaviour
elsewhere.
---
 .gitea/scripts/check-already-published.sh | 28 +++++++++++++++++++----
 1 file changed, 24 insertions(+), 4 deletions(-)

diff --git a/.gitea/scripts/check-already-published.sh b/.gitea/scripts/check-already-published.sh
index 1c19dc853..21f000e15 100755
--- a/.gitea/scripts/check-already-published.sh
+++ b/.gitea/scripts/check-already-published.sh
@@ -193,13 +193,33 @@ debian)
   esac
 
   pkg_name=$(basename "$RECIPE_DIR")
-  first_letter="${pkg_name:0:1}"
 
-  url="${REPO_BASE}/debian/pool/main/${first_letter}/${pkg_name}/${pkg_name}_${ver_full}_${file_arch}.deb"
-  code=$(http_head "$url")
-  if [ "$code" = "200" ]; then
+  # Compare against the canonical Packages index (what apt actually
+  # consults).  reprepro refuses lower-version uploads, so checking
+  # only an exact source-pkgrel URL produces an endless-rebuild trap
+  # whenever source PKGREL has rolled back below pool head.  We skip
+  # if pools published version >= source version-tuple.
+  source_full="${ver_full}"
+  if [ -n "${PKGVER#*:}" ] && [ "${PKGVER}" != "${PKGVER#*:}" ]; then
+    # PKGVER had an epoch — keep it for dpkg --compare-versions.
+    source_full="${PKGVER}-${PKGREL}"
+  fi
+
+  # Determine suite: most recipes publish to both bookworm and trixie;
+  # checking trixie is sufficient (changelogs share Distribution).
+  suite="trixie"
+  pkg_arch_label="$file_arch"
+  [ "$file_arch" = "all" ] && pkg_arch_label="all"
+  packages_url="${REPO_BASE}/debian/dists/${suite}/main/binary-arm64/Packages"
+  [ "$file_arch" = "amd64" ] && packages_url="${REPO_BASE}/debian/dists/${suite}/main/binary-amd64/Packages"
+
+  pool_ver=$(set +o pipefail; curl -sS --max-time "$HEAD_TIMEOUT" "$packages_url" 2>/dev/null     | awk -v p="$pkg_name" '$1=="Package:" && $2==p {found=1; next} found && $1=="Version:" {print $2; exit}')
+
+  if [ -n "$pool_ver" ] && command -v dpkg >/dev/null &&        dpkg --compare-versions "$pool_ver" ge "$source_full"; then
+    echo "pool has $pool_ver >= source $source_full" >&2
     emit 1
   fi
+  echo "pool has $pool_ver, source wants $source_full — build" >&2
   emit 0
   ;;
 
-- 
2.47.3