On Thu, Jan 12, 2023 at 11:28 PM Paul Gevers <elb...@debian.org> wrote:
>
> Hi Shengjing,
>
> On 11-01-2023 09:32, Shengjing Zhu wrote:
> > Please unblock package golang-1.19
>
> But golang-1.19 is in sync between unstable and testing.
>

Because I haven't uploaded. This unblock request is for 1.19.5-1,
while unstable has 1.19.4-1.

> > This is a point release for golang 1.19 which happens today.
>
> I suspect you're asking for an exception as golang is on our toolchain
> list [0]? In *my* interpretation of the freeze date, you have until
> today to upload. (Yes, I know others in the team have argued differently
> on irc, we'll need to clarify that better next round). So, if you're
> quick you didn't even *need* to ask for an exception if you otherwise
> meet the criteria [1]. Please check and if you meet them, go ahead if
> you upload happens within 2 days.
>

Yes, for toolchain freeze. golang-1.19 doesn't have autopkgtest for
itself. So it will take 5 days to migrate. So it's already late for me
to upload. As I read the backlog on irc, when someone asks for rust
update, they are told the package should be in testing when the freeze
starts.

> > + Many Go packages still record Built-Using field, so this upload will 
> > block >    Go packages from migration. Release team need to rebuild outdated
> Built-Using.
>
> I don't think it blocks migration (but maybe I'm misunderstanding what
> you mean). But why hasn't this been fixed by now? Do you know if bugs
> have been filed?
>

I mean if I upload golang-1.19 to unstable, and if it's unapproved to
migrate to testing, then any Go packages built with
golang-1.19/unstable will be blocked on migration. Since they have
Built-Using of golang-1.19/unstable, and must be migrated after
golang-1.19.

And for abuse of Built-Using field, dpkg has added a new field, which
is called Static-Built-Using. Anthony Fok has implemented it in
dh-golang, and has migrated some packages to use that new field. But
this is not something that can be automated. So all Go packages need
manual update.
There's no call for doing this inside the team yet. That's slow in progress.

> >    The Go point release or security release may happen several times during 
> > freeze.
> >    What kind of release can be expected to be unblocked during freeze?
>
> Again, it's written in [1]. Please let me know if there's something unclear.
>
> But this bug report triggered me: did the golang security situation
> already improved during this release cycle. I may be misremembering, but
> I recall the problems on the security archive side haven't been fixed,
> have they?
>

For some reference, I did several security updates for golang-1.15 for
bullseye, but we didn't rebuild other packages. These security updates
are not urgent enough anyway.
And others also update some Go packages for bullseye. In general, we
just do the usual update for stable release.

As for the security archive, IIRC, for bullseye, the security team did
 need to ask ftp-master to copy some individual packages manually. I'm
not sure how it is going now. But given the low update frequency I
overseved for bullseye, probably that works.

-- 
Shengjing Zhu

Reply via email to