On 2024-01-16 10:59 +0100, Simon Josefsson wrote: > My naive approach on how to fix a security problem in package X which is > statically embedded into other packages A, B, C, ... would be to rebuild > the transitive closure of all packages that Build-Depends on X and > publish a security update for all those packages. > > What is the problem with that approach to handle security problems in a > Go package for trixie?
Well, the reason we have not done this in the past is that the rebuild propogation needed potentially adds significant load to the buildds, and we used to have barely enough capacity to keep up with uploads for some architectures. I think that situation is quite a lot better these days, at least for release architectures, but I'm not sure how much slack there is in the system across the board? Other distros that routinely rebuild everything don't support anything like as many architectures. If it only done for security issues, rather than routinely, then that shouldn't be that much extra load (does anyone have any idea how much extra building we are talking about? Is it trivial, or huge?) Wookey -- Principal hats: Debian, Wookware, ARM http://wookware.org/
signature.asc
Description: PGP signature