Re: xfree86_4.1.0-16woody4_alpha.changes REJECTED
(replying to my own mail at gun^Wflamethrower-point)
On Mon, Oct 18, 2004 at 03:02:47PM +0200, Jeroen van Wolffelaar wrote:
> On Mon, Oct 18, 2004 at 07:44:29AM -0500, Branden Robinson wrote:
> > Is there a FAQ somewhere that will tell me why I always get "REJECTED"
> > mails from katie after submitting security-fixed packages to the Debian
> > Security Team?
> > I get one for each architecture.
> > I seem to remember asking Debian Installer
> > <firstname.lastname@example.org> before, but never getting an answer.
> The problem is that stable-security is a separate archive, and requires
> a sourceful upload. Give the '-sa' option to dpkg-buildpackage to
> overrule the heuristic that says only -1 and -0 packages need to have
> their source included.
Branden Robinson told me that however he did prepare the upload, it was
his understanding that the security team would not use it as-is, but
rebuild it. They didn't, and due to Branden's assumption, he didn't
think he needed to follow the guidelines specific to how exactly to
dpkg-buildpackage the upload for security updates.
> Also see http://www.debian.org/doc/developers-reference/ch-pkgs#s-bug-security
> which says to simply mail updated packages to the security team, and to
> not normally upload them yourself.
So it was the security team who uploaded Branden's packages as-is. Sorry
for assuming wrong, but something like this is uncheckable as the
signature was Branden's.
> A subsection of this section has also the answer to your question:
> | Unless the upstream source has been uploaded to security.debian.org
> | before (by a previous security update), build the upload with full
> | upstream source (dpkg-buildpackage -sa). If there has been a previous
> | upload to security.debian.org with the same upstream version, you may
> | upload without upstream source (dpkg-buildpackage -sd).
This text is by the way incomplete. It should say "If there has been a
previous upload ... same upstream version _since the latest point
release_, you may upload without upstream source". Or even better, just
change it to 'always use -sa', as having multiple security updates for
one package between the same point releases is rare, and even if so, the
extra bandwidth used during upload is neglectible (and it can't hurt).
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)