[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Go issues wrt. Debian infrastructure: moving forward

On 27/08/2020 09:47, Paul Gevers wrote:
> Hi,
> 
> On 26-08-2020 13:40, Clément Hermann wrote:
>> On 26/08/2020 13:22, Reinhard Tartler wrote:
>>>
>>>
>>> On Wed, Aug 26, 2020 at 7:09 AM Bastian Blank <waldi@debian.org
>>> <mailto:waldi@debian.org>> wrote:
>>>
>>>     Hi Clement
>>>
>>>     On Wed, Aug 26, 2020 at 12:39:36PM +0200, Clément Hermann wrote:
>>>     > - a way for dak to get the orig tarball from main archive when
>>>     it's not
>>>     > already in the security archive (or at least, as a workaround, a
>>>     way to
>>>     > find and upload all needed source easily)
>>>
>>>     As soon as you stop emitting Built-Using, this problem is gone.  Except
>>>     of course for the cases that actually needs them, which is mainly GPL
>>>     and Apache licensed software.
>>>
>>> That's surprising, it seems I must be missing some specifics about how
>>> dak handles Built-Using specifically. I skimmed through the dak source
>>> code, but nothing strikes out to me specifically about this particular
>>> point.
>>>
>>> can you please help me fill in the gaps here?
>>
>> I have to admit I don't really get it either. We will migrate away from
>> Built-Using, probably using something like rust is using
>> (X-Go-Built-Using). However, packages are still built statically, and
>> still need to be binNMUed when a build-depends has a security update.
>>
>> Did I misunderstand the issue with dak and orig tarballs not in security
>> archive yet?
>>
>> (note: adding back the CC-ed list, sorry for cross posting but this
>> still belong at least in debian-release IMO)
> 
> Well, I would say slightly more on the security (they can't decently
> support packages in the golang ecosystem) and ftp-master (the owners of
> dak and technically needed to solve the issue) lists, but yes, in the
> end it's the release team that decides what goes into the release. This
> problem is big one.

Right. Let me re-add team@security.debian.org and add ftp-master then.

The original message on debian-go and debian-release is here:

[🔎] 176455fa-4611-f2c1-9ca1-f855d7d998f9@debian.org">https://lists.debian.org/msgid-search/[🔎] 176455fa-4611-f2c1-9ca1-f855d7d998f9@debian.org

Let's discuss this! we (go team) would love to work toward resolving this issue for Bullseye, but we can't decide what'd be better on our own - I'm sure no one is happy with the situation, and the ideal situation where Go packages don't need to statically link everything isn't likely to happen.

A meeting during DebConf with interested parties would be best in my opinion, but discussing things by e-mail is still good. :)

PS: but then maybe we should stick this to one list once interested parties have been notified, please let me know what the proper etiquette is on this matter since I have little to no experience on it
-- 
nodens
Reply to: