Bug#928026: Bug#928227: technical solutions enabling binNMUs in the security archive (support of golang packages)

2019-05-24 Thread Ansgar 
Paul Gevers writes:
> On 20-05-2019 09:06, Ansgar wrote:
>> I though about importing the full source to security-master already for
>> a different reason: `Built-Using` leads to a similar problem as binNMUs
>> in that uploads require source that is not already present in the
>> archive.
>> 
>> It is not necessary to push all sources to the public mirrors.
>
> Does this mean you think it is feasible to do/fix this in the near future?

Importing sources once is probably doable; writing something to continue
updating them (at point release time and similar) takes more time which
I currently can't commit to.

There is also the question of storage: the full buster source is
something like 60 GB+, but security-master only has 63 GB free storage
right now (need to check with DSA by how much that could increase).
Though we might need more storage over the lifetime of Buster anyway as
eventually oldstable will have debug symbols too...

If storage is a problem, we would need to look at importing only
subsets, but I don't really like treating packages differently.

Ansgar

Bug#928026: Bug#928227: technical solutions enabling binNMUs in the security archive (support of golang packages)

2019-05-20 Thread Paul Gevers 
Hi Ansgar,

On 20-05-2019 09:06, Ansgar wrote:
> I though about importing the full source to security-master already for
> a different reason: `Built-Using` leads to a similar problem as binNMUs
> in that uploads require source that is not already present in the
> archive.
> 
> It is not necessary to push all sources to the public mirrors.

Does this mean you think it is feasible to do/fix this in the near future?

>> Another solution already raised by Shengjing is to merge the archives. I
>> *guess* that is undesirable due to the fact that the security archive
>> often has embargoed sources and binaries. Am I right there?
> 
> That doesn't work as dak doesn't try to keep secrets.  There are various
> ways information would be leaked about embargoed issues (mails,
> database, web interface (rmadison), ...).
> 
> I personally also don't find it too bad to have a fallback: if one of
> the hosts is broken at the same time we have to release a critical
> update, we can still do so by publishing via the "wrong" archive.

Regarding my other direction with wanna-build, I learned yesterday via
another bug (#894441 binNMUs should be replaced by easy no-change
uploads) that wanna-build is not in the place to fix this because
uploads need to be signed.

Paul



signature.asc
Description: OpenPGP digital signature