Ola Lundqvist <o...@inguza.com> writes: > In this case I think we should issue one DLA and tell all the packages that > have been updated at the same time. This require some rephrasing compared > to a standard DLA but I do not think we should have a lot of them. > > This considering that we have fixed all the packages that require re-build. > > I think it will be difficult to syncronize the fix of several > vulnerabilities. This could be done in some specific cases, but generally I > think we should accept that we have multiple uploads.
I think the problem here, like you say, generally the fix to the library needs to be done first and uploaded first, before the dependency packages. During which time, people might complain that there was a package uploaded without a DLA. Which is fair enough. The big problem with trying to upload multiple packages at the same time is that the autobuilders could pick up the old library on some architectures (i.e. the library hasn't been built on that platform yet). Really need to make sure that the library has been uploaded and built on all platforms before you upload the dependencies. -- Brian May <b...@debian.org>