Re: source uploads are no problem (but binNMUs are)

To: Paul Gevers <elbrus@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: source uploads are no problem (but binNMUs are)
From: Simon.Richter@hogyros.de
Date: Tue, 2 Dec 2025 00:14:53 +0900 (GMT+09:00)
Message-id: <[🔎] b7798e07-21ae-4641-a610-39c6d7a307c8@hogyros.de>
In-reply-to: <dca0a7d1-641f-4f4d-a854-073ac34112da@debian.org>
References: <91d8b710-3083-4f87-85b4-835b4fff7c7c@app.fastmail.com> <20251127180728.GA445509@subdivi.de> <aSkx9tObAFZd34W1@localhost> <a766861c-530f-426f-adb6-5ddf302a2641@debian.org> <aSohHA9Ma2zlNBaH@localhost> <aSra5m7fOVNEtzwB@layer-acht.org> <dca0a7d1-641f-4f4d-a854-073ac34112da@debian.org>

Hi,

it shouldn't be a no-source-change upload though — there also needs to bea way to enforce building against a fixed version of dependencies,preferably one that also works for backported security fixes.

A horrible but maybe viable approach would be that a security uploadProvides a name containing the DSA number, and dependent packagesBuild-Depend on that and provide their own, i.e.:


Package: static-foo-dev
Provides: static-foo-dev-dsa-12345

and in the dependent package:

Source: bar
Build-Depends: static-foo-dev (>= some version), static-foo-dev-dsa-12345

Package: static-bar-dev
Provides: static-bar-dev-dsa-12345

With this, the buildds would order the builds correctly.

   Simon

Reply to:

Prev by Date: Bug#1121736: ITP: prometheus-cpp-lite -- C++ Header-only Prometheus client library
Next by Date: Bug#1121745: ITP: octave-generate-html -- generate HTML web page from help texts for Gnu Octave
Previous by thread: Bug#1121736: ITP: prometheus-cpp-lite -- C++ Header-only Prometheus client library
Next by thread: Bug#1121745: ITP: octave-generate-html -- generate HTML web page from help texts for Gnu Octave
Index(es):
- Date
- Thread