On Thu, Dec 07, 2023 at 09:38:47PM +0100, Salvatore Bonaccorso wrote: >... > Hmm technically likely right, but in security we cannot very well > handle the binNMUs (only if the source is already present there, > otherwise ftp-masters need to inject the sources first). > > This is related to > https://wiki.debian.org/DebianSecurity/AdvisoryCreation/SecFull?highlight=%28gen-DSA%29#BinNMUs > and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823820 (well > more broadly to have source available).
This shouldn't be a problem here, we are talking about binNMUs immediately after sources+binaries had been uploaded to security.[1] And the most common case (e.g. cacti or jtreg6) is that the uploads to security should have been source-only, AFAIK uploads to security-stable do not hit NEW when the source and binary packages are already in stable. > Regards, > Salvatore cu Adrian [1] assuming no binary-all packages are involved _______________________________________________ Reproducible-builds mailing list Reproducible-builds@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/reproducible-builds