On 27/08/2020 09:47, Paul Gevers wrote: > Hi, > > On 26-08-2020 13:40, Clément Hermann wrote: >> On 26/08/2020 13:22, Reinhard Tartler wrote: >>> >>> >>> On Wed, Aug 26, 2020 at 7:09 AM Bastian Blank <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Hi Clement >>> >>> On Wed, Aug 26, 2020 at 12:39:36PM +0200, Clément Hermann wrote: >>> > - a way for dak to get the orig tarball from main archive when >>> it's not >>> > already in the security archive (or at least, as a workaround, a >>> way to >>> > find and upload all needed source easily) >>> >>> As soon as you stop emitting Built-Using, this problem is gone. Except >>> of course for the cases that actually needs them, which is mainly GPL >>> and Apache licensed software. >>> >>> That's surprising, it seems I must be missing some specifics about how >>> dak handles Built-Using specifically. I skimmed through the dak source >>> code, but nothing strikes out to me specifically about this particular >>> point. >>> >>> can you please help me fill in the gaps here? >> >> I have to admit I don't really get it either. We will migrate away from >> Built-Using, probably using something like rust is using >> (X-Go-Built-Using). However, packages are still built statically, and >> still need to be binNMUed when a build-depends has a security update. >> >> Did I misunderstand the issue with dak and orig tarballs not in security >> archive yet? >> >> (note: adding back the CC-ed list, sorry for cross posting but this >> still belong at least in debian-release IMO) > > Well, I would say slightly more on the security (they can't decently > support packages in the golang ecosystem) and ftp-master (the owners of > dak and technically needed to solve the issue) lists, but yes, in the > end it's the release team that decides what goes into the release. This > problem is big one.
Right. Let me re-add [email protected] and add ftp-master then. The original message on debian-go and debian-release is here: https://lists.debian.org/msgid-search/[email protected] Let's discuss this! we (go team) would love to work toward resolving this issue for Bullseye, but we can't decide what'd be better on our own - I'm sure no one is happy with the situation, and the ideal situation where Go packages don't need to statically link everything isn't likely to happen. A meeting during DebConf with interested parties would be best in my opinion, but discussing things by e-mail is still good. :) PS: but then maybe we should stick this to one list once interested parties have been notified, please let me know what the proper etiquette is on this matter since I have little to no experience on it -- nodens
