[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Go issues wrt. Debian infrastructure: moving forward

Hi
On 27/08/2020 18:41, Moritz Muehlenhoff wrote:
> On Thu, Aug 27, 2020 at 11:31:36AM +0200, Clément Hermann wrote:
>>>>>     On Wed, Aug 26, 2020 at 12:39:36PM +0200, Clément Hermann wrote:
>>>>>     > - a way for dak to get the orig tarball from main archive when
>>>>>     it's not
>>>>>     > already in the security archive (or at least, as a workaround, a
>>>>>     way to
>>>>>     > find and upload all needed source easily)
>>>>>
>>>>>     As soon as you stop emitting Built-Using, this problem is gone.  Except
>>>>>     of course for the cases that actually needs them, which is mainly GPL
>>>>>     and Apache licensed software.
> 
> It is still needed even if you stop using Built-Using. If a Go library is updated
> (and similar for Rust) reverse dependencies needs to be rebuilt and security-master
> and ftp-master don't share tarballs. The first time a package is built for a
> suite (e.g. buster-security) it currently needs an uplaod with includes the
> orig tarball (i.e. building with -sa).
> 
> Obviously this doesn't scale at all for binNMUing lots of rdeps. So we need
> a fix in dak/security-master so that it fetches the orig source from ftp-master
> (or a similar solution).

Thanks for the confirmation :)

> Quoting from the original mail:
>> Can we take opportunity of Debconf20 to set up an ad-hoc session and
>> talk about the best way forward to fix this ?
> 
> I think an IRC session would work best, but not sure what exact input you need?
> For dak implementation questions this needs some FTP master input.


I'm fine with IRC too. I think the dak implementation would be the best
(along with a script or something that can tell which packages to
binNMU, but with the proper field set d/control for binaries that
doesn't sound difficult).

What I'd hope to get from such a session would be possible, acceptable
workaround if the dak issue is (as it seems) too complicated to fix in a
timely manner.

For instance, a script that would get all the needed source package and
upload then whenever someone needs to binNMU a go package. Or whatever
makes security@d.o and release management life easier.

Cheers,

-- 
nodens
Reply to: