Re: Go issues wrt. Debian infrastructure: moving forward
Hi
On 27/08/2020 18:41, Moritz Muehlenhoff wrote:
> On Thu, Aug 27, 2020 at 11:31:36AM +0200, Clément Hermann wrote:
>>>>> On Wed, Aug 26, 2020 at 12:39:36PM +0200, Clément Hermann wrote:
>>>>> > - a way for dak to get the orig tarball from main archive when
>>>>> it's not
>>>>> > already in the security archive (or at least, as a workaround, a
>>>>> way to
>>>>> > find and upload all needed source easily)
>>>>>
>>>>> As soon as you stop emitting Built-Using, this problem is gone. Except
>>>>> of course for the cases that actually needs them, which is mainly GPL
>>>>> and Apache licensed software.
>
> It is still needed even if you stop using Built-Using. If a Go library is updated
> (and similar for Rust) reverse dependencies needs to be rebuilt and security-master
> and ftp-master don't share tarballs. The first time a package is built for a
> suite (e.g. buster-security) it currently needs an uplaod with includes the
> orig tarball (i.e. building with -sa).
>
> Obviously this doesn't scale at all for binNMUing lots of rdeps. So we need
> a fix in dak/security-master so that it fetches the orig source from ftp-master
> (or a similar solution).
Thanks for the confirmation :)
> Quoting from the original mail:
>> Can we take opportunity of Debconf20 to set up an ad-hoc session and
>> talk about the best way forward to fix this ?
>
> I think an IRC session would work best, but not sure what exact input you need?
> For dak implementation questions this needs some FTP master input.
I'm fine with IRC too. I think the dak implementation would be the best
(along with a script or something that can tell which packages to
binNMU, but with the proper field set d/control for binaries that
doesn't sound difficult).
What I'd hope to get from such a session would be possible, acceptable
workaround if the dak issue is (as it seems) too complicated to fix in a
timely manner.
For instance, a script that would get all the needed source package and
upload then whenever someone needs to binNMU a go package. Or whatever
makes security@d.o and release management life easier.
Cheers,
--
nodens
Reply to: