[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: golang-go.crypto / CVE-2019-11841

Hi Brian,

On Tue, Nov 10, 2020 at 4:03 AM Brian May <bam@debian.org> wrote:
> I might need help here:
>
> === cut ===
> Debian FTP Masters <ftpmaster@ftp-master.debian.org> (28 mins. ago) ()
> Subject: rclone_1.35-1+deb8u1_amd64.changes REJECTED
> To: dak@security.debian.org, bam@debian.org
> Date: Mon, 09 Nov 2020 21:50:14 +0000
>
> golang-github-ncw-rclone-dev_1.35-1+deb8u1_all.deb: Built-Using refers to non-existing source package go-md2man (= 1.0.6+ds-1)
>
> ===
>
> Please feel free to respond to this email if you don't understand why
> your files were rejected, or if you upload new files which address our
> concerns.
> === cut ===
>
> go-md2man is in stretch, not stretch-security. But I don't see any
> reference to the package in the source:
>
> === cut ===
>
> *snip*
>
> What is this "Built-Using" header? Where does it come from? Do I have to
> upload everything in "Built-Using" to stretch-security first? Why?
>
> How do I resolve this in a sane and sensible manner?

You need to ask FTP masters to inject the needed source packages on
security-master and reprocess the rejected packages.

I've hit that in the past but the FTP masters were kind and fast
enough to re-process that.



- u
Reply to: