Re: Golang packages

I do not think an upload without a DLA is a big concern. We have had quite a few of these when we needed to backport certain components in order to build some package. I think it was firefox but I could remember wrong.

To my knowledge no one complained then.

You do however raise a valid concern about uploading multiple packages and that they may pick up wrong library.

I think the solution to this is to make sure to add a versioned dependency on the package that is supposed to be re-built.

Best regards

// Ola

On Wed, 19 May 2021 at 12:43, Brian May <bam@debian.org> wrote:

Ola Lundqvist <ola@inguza.com> writes:

> In this case I think we should issue one DLA and tell all the packages that
> have been updated at the same time. This require some rephrasing compared
> to a standard DLA but I do not think we should have a lot of them.
>
> This considering that we have fixed all the packages that require re-build.
>
> I think it will be difficult to syncronize the fix of several
> vulnerabilities. This could be done in some specific cases, but generally I
> think we should accept that we have multiple uploads.

I think the problem here, like you say, generally the fix to the library
needs to be done first and uploaded first, before the dependency
packages.

During which time, people might complain that there was a package
uploaded without a DLA. Which is fair enough.

The big problem with trying to upload multiple packages at the same time
is that the autobuilders could pick up the old library on some
architectures (i.e. the library hasn't been built on that platform yet).
Really need to make sure that the library has been uploaded and built on
all platforms before you upload the dependencies.
--
Brian May <bam@debian.org>