On 26/08/2020 13:22, Reinhard Tartler wrote: > > > On Wed, Aug 26, 2020 at 7:09 AM Bastian Blank <wa...@debian.org > <mailto:wa...@debian.org>> wrote: > > Hi Clement > > On Wed, Aug 26, 2020 at 12:39:36PM +0200, Clément Hermann wrote: > > - a way for dak to get the orig tarball from main archive when > it's not > > already in the security archive (or at least, as a workaround, a > way to > > find and upload all needed source easily) > > As soon as you stop emitting Built-Using, this problem is gone. Except > of course for the cases that actually needs them, which is mainly GPL > and Apache licensed software. > > That's surprising, it seems I must be missing some specifics about how > dak handles Built-Using specifically. I skimmed through the dak source > code, but nothing strikes out to me specifically about this particular > point. > > can you please help me fill in the gaps here?
I have to admit I don't really get it either. We will migrate away from Built-Using, probably using something like rust is using (X-Go-Built-Using). However, packages are still built statically, and still need to be binNMUed when a build-depends has a security update. Did I misunderstand the issue with dak and orig tarballs not in security archive yet? (note: adding back the CC-ed list, sorry for cross posting but this still belong at least in debian-release IMO) -- nodens
