On Tue, Aug 15, 2023 at 04:30:16PM -0500, John Goerzen wrote:
> Thanks. That's helpful... though I'm not quite sure what to do about
> it in general. I mean, I can easily enough deal with it in this case,
> but if there HADN'T been a newer one in proposed-updates, then I would
> have been forced to build against a package with known security issues,
> I suppose? (I imagine a backport of a package in bookworm-security
> would be rejected for similar reasons).
In general, I'd expect you to be building against
stable+stable-updates+stable-security, and I suspect you haven't been
otherwise you would not have met this issue.
Then, once a package has been published through -security, it *also*
propagates through -updates after a while anyway. Indeed, you could see
it in this case as well in https://tracker.debian.org/pkg/curl :
[2023-07-26] Accepted curl 7.88.1-10+deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Samuel Henrique)
[2023-07-30] Accepted curl 7.88.1-10+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Samuel Henrique)
In this case, 4 days... But then u2 came along:
[2023-08-05] Accepted curl 7.88.1-10+deb12u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Samuel Henrique)
So u1 was removed from -updates, but since -security nearly never
removes old versions there it stays outdated.
So, I'd tempt to double check your setup, as your particular case it's
a tad hard to hit if the build host is configured correctly.
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
More about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
Attachment:
signature.asc
Description: PGP signature