Hi, On 26-08-2020 13:40, Clément Hermann wrote: > On 26/08/2020 13:22, Reinhard Tartler wrote: >> >> >> On Wed, Aug 26, 2020 at 7:09 AM Bastian Blank <waldi@debian.org >> <mailto:waldi@debian.org>> wrote: >> >> Hi Clement >> >> On Wed, Aug 26, 2020 at 12:39:36PM +0200, Clément Hermann wrote: >> > - a way for dak to get the orig tarball from main archive when >> it's not >> > already in the security archive (or at least, as a workaround, a >> way to >> > find and upload all needed source easily) >> >> As soon as you stop emitting Built-Using, this problem is gone. Except >> of course for the cases that actually needs them, which is mainly GPL >> and Apache licensed software. >> >> That's surprising, it seems I must be missing some specifics about how >> dak handles Built-Using specifically. I skimmed through the dak source >> code, but nothing strikes out to me specifically about this particular >> point. >> >> can you please help me fill in the gaps here? > > I have to admit I don't really get it either. We will migrate away from > Built-Using, probably using something like rust is using > (X-Go-Built-Using). However, packages are still built statically, and > still need to be binNMUed when a build-depends has a security update. > > Did I misunderstand the issue with dak and orig tarballs not in security > archive yet? > > (note: adding back the CC-ed list, sorry for cross posting but this > still belong at least in debian-release IMO) Well, I would say slightly more on the security (they can't decently support packages in the golang ecosystem) and ftp-master (the owners of dak and technically needed to solve the issue) lists, but yes, in the end it's the release team that decides what goes into the release. This problem is big one. Paul
Attachment:
signature.asc
Description: OpenPGP digital signature