Re: Security releases for ecosystems that use static linking

[Emilio Pozuelo Monfort <pochu@debian.org>]

[ Adding debian-dak@ to Cc ]

On 22/12/2023 09:54, Moritz Muehlenhoff wrote:
> On Thu, Dec 21, 2023 at 07:30:51PM -0300, Santiago Ruano Rincón wrote:
> > So let me ask you: are you interested in addressing the infrastructure
> > limitations to handle those kind of packages? and having some help for
> > that?
>
> Foremost this is an infrastructure limitation that needs to be resolved:
> security-master and ftp-master use separate dak installations, which makes
> binNMUs in the current form untenable since every package would need a
> source-fule upload first (the same reason why currently the first upload
> of a package to foo-security needs a sourceful upload).
>
> One solution which has been discussed in the past is to import a full copy
> of stable towards stable-security at the beginning of each release cycle,
> but that is currently not possible since security-master is a Ganeti VM
> and the disk requirements for a full archive copy would rather require
> a baremetal host.

What if the overrides list was updated regularly but the sources were only 
imported on-demand? e.g. upon a new upload
- trigger override update from ftp-master
- if upload is sourceless and source is not present:
  - try to import source from ftp-master

This would also solve the current problem that an update on security-master may 
have the same version but different orig tarball than the one on ftp-master.

Thoughts?

Cheers,
Emilio