Hi On 27/08/2020 18:41, Moritz Muehlenhoff wrote: > On Thu, Aug 27, 2020 at 11:31:36AM +0200, Clément Hermann wrote: >>>>> On Wed, Aug 26, 2020 at 12:39:36PM +0200, Clément Hermann wrote: >>>>> > - a way for dak to get the orig tarball from main archive when >>>>> it's not >>>>> > already in the security archive (or at least, as a workaround, a >>>>> way to >>>>> > find and upload all needed source easily) >>>>> >>>>> As soon as you stop emitting Built-Using, this problem is gone. >>>>> Except >>>>> of course for the cases that actually needs them, which is mainly GPL >>>>> and Apache licensed software. > > It is still needed even if you stop using Built-Using. If a Go library is > updated > (and similar for Rust) reverse dependencies needs to be rebuilt and > security-master > and ftp-master don't share tarballs. The first time a package is built for a > suite (e.g. buster-security) it currently needs an uplaod with includes the > orig tarball (i.e. building with -sa). > > Obviously this doesn't scale at all for binNMUing lots of rdeps. So we need > a fix in dak/security-master so that it fetches the orig source from > ftp-master > (or a similar solution).
Thanks for the confirmation :) > Quoting from the original mail: >> Can we take opportunity of Debconf20 to set up an ad-hoc session and >> talk about the best way forward to fix this ? > > I think an IRC session would work best, but not sure what exact input you > need? > For dak implementation questions this needs some FTP master input. I'm fine with IRC too. I think the dak implementation would be the best (along with a script or something that can tell which packages to binNMU, but with the proper field set d/control for binaries that doesn't sound difficult). What I'd hope to get from such a session would be possible, acceptable workaround if the dak issue is (as it seems) too complicated to fix in a timely manner. For instance, a script that would get all the needed source package and upload then whenever someone needs to binNMU a go package. Or whatever makes security@d.o and release management life easier. Cheers, -- nodens
