Re: Bug#928026: security support for golang packages in Buster
- To: Shengjing Zhu <zhsj@debian.org>
- Cc: Moritz Muehlenhoff <jmm@inutil.org>, team@security.debian.org, Paul Gevers <elbrus@debian.org>, 928026@bugs.debian.org, debian-release@lists.debian.org, debian-go@lists.debian.org, 928027@bugs.debian.org, 928227@bugs.debian.org
- Subject: Re: Bug#928026: security support for golang packages in Buster
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Fri, 10 May 2019 08:58:42 +0200
- Message-id: <[🔎] 20190510065842.GB15353@eldamar.local>
- Mail-followup-to: Shengjing Zhu <zhsj@debian.org>, Moritz Muehlenhoff <jmm@inutil.org>, team@security.debian.org, Paul Gevers <elbrus@debian.org>, 928026@bugs.debian.org, debian-release@lists.debian.org, debian-go@lists.debian.org, 928027@bugs.debian.org, 928227@bugs.debian.org
- In-reply-to: <[🔎] CAFyCLW-zYffgNc7vbdMQPBBSuj44zFXoR0cTiV6sRqwWrV_+HQ@mail.gmail.com>
- References: <f1a737f3-b0d9-1111-f42e-bb10196b63f6@debian.org> <20190420210734.GA22183@pisco.westfalen.local> <20190426102958.c3h22jetcdn2s4ov@layer-acht.org> <20190427073148.GA7478@debian> <[🔎] 1ee63955-8db2-5f1f-7174-9dfd293f306e@debian.org> <[🔎] 20190508175317.emqld4kpnfvqit3x@inutil.org> <[🔎] CAFyCLW-zYffgNc7vbdMQPBBSuj44zFXoR0cTiV6sRqwWrV_+HQ@mail.gmail.com>
Hi,
On Fri, May 10, 2019 at 10:44:13AM +0800, Shengjing Zhu wrote:
> Hi the security team,
>
> On Thu, May 9, 2019 at 1:53 AM Moritz Muehlenhoff <jmm@inutil.org> wrote:
> [...]
> >
> > There's the additional issue that ftp-master and security-master don't
> > share tarballs; binNMUs are only possible for packages which are on
> > security-master, so we'd need to do manual source uploads for every
> > affected go package.
> >
>
> I probably lack of some historical background, have you ever think of
> merging ftp-master and security-master?
The security team does not manage dak on security-master, this is
actually ftp-masters domain. The separation has as disadantages and
advantages, one which comes to my mind idepenently on the aspect of
the one beeing security-master is to have a fallback updateing channel
in case one or the other cannot be used.
But okay that's not the point.
There is #823820 for one Built-Using aspect, but the idea might be
possible to generalize to have on every time orig tarballs from
main archive available on security-master as well.
Regards,
Salvatore
Reply to: