Hi, On 04/11/2025 18:08, Fabian Grünbichler wrote:
2) security infrastructure issues AFAIU, but my understanding here is very limited as I am neither part of DSA nor the security team: - the security archive/builders/dak instance are running inside VMs with not enough space for a full archive, which means no binNMU support
This is #823820, also discussed in [1] (thread continues in March 2024 and July 2025).
- there is no support for building sets of interdependent uploads without releasing them (which would be required for embargoed issues to first upload a fixed crate package, then rebuild everything linking it, then release all the packages together)
I actually believe that is supported. Builds in security use other unreleased builds. They are not a 'set', so unrelated security updates will also use every unreleased update available.
this part is probably only solvable by or with involvement of the security team and DSA, for obvious reasons. 3) lack of source NMUs there are no source NMUs, so any affected source package that builds an arch:all package and also happens to link the problematic source statically needs a real, sourceful upload, which scales a lot worse if the number of such packages is higher than a handful.
I'm also not sure what's the relevance in this. Usually packages statically linking other libraries will be arch:any.
Cheers, Emilio