Re: Security releases for ecosystems that use static linking
On Mon, Mar 18, 2024 at 01:13:15PM +0100, Emilio Pozuelo Monfort wrote:
> [ Adding debian-dak@ to Cc ]
> > One solution which has been discussed in the past is to import a full copy
> > of stable towards stable-security at the beginning of each release cycle,
> > but that is currently not possible since security-master is a Ganeti VM
> > and the disk requirements for a full archive copy would rather require
> > a baremetal host.
>
> What if the overrides list was updated regularly but the sources were only
> imported on-demand? e.g. upon a new upload
> - trigger override update from ftp-master
> - if upload is sourceless and source is not present:
> - try to import source from ftp-master
>
> This would also solve the current problem that an update on security-master
> may have the same version but different orig tarball than the one on
> ftp-master.
We'd need an estimate which percentage of a given release sees an update via
foo-security over the five year period (plus some wiggle room for a potentially
increased rate of updates for rust/go) to make sure that disk space on security-master
supports such a setup.
But the approach per se seems solid to me.
Cheers,
Moritz
Reply to: