[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: security updates of Golang packages



Hi Thorsten,

On 27-04-2022 00:08, Thorsten Alteholz wrote:
On Tue, 26 Apr 2022, Paul Gevers wrote:
But if you have the tooling to create such versioned dependencies (and you'd need those to get everything right), than we could use the same tools to add Depwait on the binNMUs and the build order would be correct again.

hmm, Depwaits are new to me. If I have package A with version 1-1 that gets a fix in version 1-2, than I can add:
  dw B . amd64 . bullseye . -m "A (>=1-2)"

Mind you, src:B, bin:A.

But what do I need to write to let package C wait for the rebuilt of B?

Additionally, if I recall correctly, $(dw) normally comes after $(nmu). The call to $(nmu) can be extended to have an explicit binNMU number and the $(dw) call can use that. Although, you'd probably already need to look up the last binNMU number to be able to use that in the $(nmu) call, so you'd know what to use in $(dw).

Sure tooling is a big problem, but on top of that a big problem with the security archive is that it doesn't have the sources for packages that have never seen a security upload. Which means we can't even binNMU there in those cases.

Until the space problem on seger is fixed, the tooling could also create a script that copies all packages. This would be a manual ftpmaster-step before the binNMU, but at least this is better than no fix at all.

ack.

Paul

Attachment: OpenPGP_signature
Description: OpenPGP digital signature


Reply to: