On Wed, May 8, 2019 at 2:45 PM Paul Gevers wrote: > With respect to binNMU'ing, static linking is not a problem, only > arch:all is. Most haskell (4 vs 1048) and ocaml (21 vs 233) aren't > arch:all. haskell and ocaml have a framework in place to at least know > the status in unstable/testing. See e.g. the "permanent trackers" at > https://release.debian.org/transitions/ I don't know yet what this means > for security support. Neither do I know what it means for rust.
I think there is something that the release/security teams might be missing here: The Go/Rust arch:all packages (the golang-*-dev ones) contain only source code (ideally things would support build-deps on foo:src, the current Go/Rust binary packages are a workaround for that being missing), so they do not need to be changed after a security upload. Only the packages containing statically linked Go/Rust code need to be binNMUed and those ones should be arch:any since they contain architecture-specific binaries. In addition the arch:all packages do not have Built-Using, only the statically linked ones do. So the workflow seems to be quite manageable, modulo the security-master binNMU issue: fix the security issue where it originated, then binNMU anything that has Built-Using on any version less than the fixed version. -- bye, pabs https://wiki.debian.org/PaulWise
