On Tue, Aug 15, 2023 at 04:30:16PM -0500, John Goerzen wrote: > Thanks. That's helpful... though I'm not quite sure what to do about > it in general. I mean, I can easily enough deal with it in this case, > but if there HADN'T been a newer one in proposed-updates, then I would > have been forced to build against a package with known security issues, > I suppose? (I imagine a backport of a package in bookworm-security > would be rejected for similar reasons). In general, I'd expect you to be building against stable+stable-updates+stable-security, and I suspect you haven't been otherwise you would not have met this issue. Then, once a package has been published through -security, it *also* propagates through -updates after a while anyway. Indeed, you could see it in this case as well in https://tracker.debian.org/pkg/curl : [2023-07-26] Accepted curl 7.88.1-10+deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Samuel Henrique) [2023-07-30] Accepted curl 7.88.1-10+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Samuel Henrique) In this case, 4 days... But then u2 came along: [2023-08-05] Accepted curl 7.88.1-10+deb12u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Samuel Henrique) So u1 was removed from -updates, but since -security nearly never removes old versions there it stays outdated. So, I'd tempt to double check your setup, as your particular case it's a tad hard to hit if the build host is configured correctly. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. More about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
Attachment:
signature.asc
Description: PGP signature