On Mon, Aug 31, 2020 at 08:37:05PM +0200, Emilio Pozuelo Monfort wrote: > On 31/08/2020 20:29, Moritz Mühlenhoff wrote: > > On Sat, Aug 29, 2020 at 10:18:57PM +0200, Clément Hermann wrote: > >> Other than that, I don't think there are, my understanding was that the > >> missing orig.tar.gz when dealing with a lot of new packages in the > >> security archive was the main blocker on ftp-master plate. > > > > I think so, too. That should resolve the tooling issues and only leave > > the implementation of how to detect what needs to be rebuilt. > > For that, take a look at the tool generating the haskell and ocaml binNMU > list, > see [1] and [2] and the source in [3]. You may want to contribute and extend > that tool to support golang, or at least reuse the output format (both the > wanna-build and the json one).
The packages that do *not* get rebuilt during transitions of ecosystems that are based on static libraries like Haskell are the actual programs like git-annex. Transitions only handle dependencies between static libraries. And the problem is a bit different for ecosystems where libraries are static libraries, and ecosystems where "libraries" are binary-all packages like Go. For a security fix in code shipped by the Haskell compiler a 26 level transition involving 1k package is necessary in stable. For a security fix in the package shipped with Go compiler[1] it is sufficient to just binNMU the 100 leaf packages containing programs written in Go. > Cheers, > Emilio > > [1] https://people.debian.org/~nomeata/binNMUs-haskell.txt > [2] https://people.debian.org/~nomeata/binNMUs-ocaml.txt > [3] https://salsa.debian.org/haskell-team/tools/-/tree/master/binnmus cu Adrian [1] think of it like glibc and OpenSSL shipped with gcc and statically linked into all applications
