[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: security updates of Golang packages



Hi Paul,

On Tue, 26 Apr 2022, Paul Gevers wrote:
But if you have the tooling to create such versioned dependencies (and you'd need those to get everything right), than we could use the same tools to add Depwait on the binNMUs and the build order would be correct again.

hmm, Depwaits are new to me. If I have package A with version 1-1 that gets a fix in version 1-2, than I can add:
 dw B . amd64 . bullseye . -m "A (>=1-2)"
But what do I need to write to let package C wait for the rebuilt of B?

Sure tooling is a big problem, but on top of that a big problem with the security archive is that it doesn't have the sources for packages that have never seen a security upload. Which means we can't even binNMU there in those cases.

Until the space problem on seger is fixed, the tooling could also create a script that copies all packages. This would be a manual ftpmaster-step before the binNMU, but at least this is better than no fix at all.

  Thorsten


Reply to: