Re: security updates of Golang packages
Hi Paul,
On Tue, 26 Apr 2022, Paul Gevers wrote:
But if you have the tooling to create such versioned dependencies (and you'd
need those to get everything right), than we could use the same tools to add
Depwait on the binNMUs and the build order would be correct again.
hmm, Depwaits are new to me. If I have package A with version 1-1 that
gets a fix in version 1-2, than I can add:
dw B . amd64 . bullseye . -m "A (>=1-2)"
But what do I need to write to let package C wait for the rebuilt of B?
Sure tooling is a big problem, but on top of that a big problem with the
security archive is that it doesn't have the sources for packages that have
never seen a security upload. Which means we can't even binNMU there in those
cases.
Until the space problem on seger is fixed, the tooling could also create a
script that copies all packages. This would be a manual ftpmaster-step
before the binNMU, but at least this is better than no fix at all.
Thorsten
Reply to: