Mattia Rizzolo <mattia@debian.org> (2023-08-16): > In general, I'd expect you to be building against > stable+stable-updates+stable-security, and I suspect you haven't been > otherwise you would not have met this issue. > > Then, once a package has been published through -security, it *also* > propagates through -updates after a while anyway. No. > Indeed, you could see > it in this case as well in https://tracker.debian.org/pkg/curl : > [2023-07-26] Accepted curl 7.88.1-10+deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Samuel Henrique) > [2023-07-30] Accepted curl 7.88.1-10+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Samuel Henrique) > In this case, 4 days... But then u2 came along: > [2023-08-05] Accepted curl 7.88.1-10+deb12u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Samuel Henrique) > So u1 was removed from -updates, but since -security nearly never > removes old versions there it stays outdated. > > So, I'd tempt to double check your setup, as your particular case it's > a tad hard to hit if the build host is configured correctly. There seems to be much confusion here: - security updates can show up in *stable-proposed-updates* (and get replaced as that's the case here). - you start your mail advocating for including *stable-updates* in the build setup, which is definitely a different thing! Cheers, -- Cyril Brulebois (kibi@debian.org) <https://debamax.com/> D-I release manager -- Release team member -- Freelance Consultant
Attachment:
signature.asc
Description: PGP signature