[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#928227: technical solutions enabling binNMUs in the security archive (support of golang packages)

Hi Ansgar,

On 20-05-2019 09:06, Ansgar wrote:
> I though about importing the full source to security-master already for
> a different reason: `Built-Using` leads to a similar problem as binNMUs
> in that uploads require source that is not already present in the
> archive.
> It is not necessary to push all sources to the public mirrors.

Does this mean you think it is feasible to do/fix this in the near future?

>> Another solution already raised by Shengjing is to merge the archives. I
>> *guess* that is undesirable due to the fact that the security archive
>> often has embargoed sources and binaries. Am I right there?
> That doesn't work as dak doesn't try to keep secrets.  There are various
> ways information would be leaked about embargoed issues (mails,
> database, web interface (rmadison), ...).
> I personally also don't find it too bad to have a fallback: if one of
> the hosts is broken at the same time we have to release a critical
> update, we can still do so by publishing via the "wrong" archive.

Regarding my other direction with wanna-build, I learned yesterday via
another bug (#894441 binNMUs should be replaced by easy no-change
uploads) that wanna-build is not in the place to fix this because
uploads need to be signed.


Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: