On Mon, 25 Apr 2022, Shengjing Zhu wrote:
For binNMU, it's also possible to add Dep-Wait.
Hmm, but that would be some manually work, wouldn't it?
I don't have a preference for it. And I think binNMU is not friendly
to Debian derivatives.
Ok, that is a good point.
For ratt and other packages focusing on Build-Depends, they ensure
other packages won't FTBFS.
For tools focusing on (Static-)Built-Using, they ensure the embedded
libraries are up to date.
I would like to object here.
If you look at package crowdsec, you find no dependency on
golang-github-tidwall-gjson in its Built-Using:, but only an entry for
golang-github-appleboy-gin-jwt.
golang-github-appleboy-gin-jwt for its part depends on
golang-github-tidwall-gjson-dev.
So wouldn't be crowdsec affected by a CVE in golang-github-tidwall-gjson,
which is not detected when using Built-Using: but only by Build-Depends:?
At least I got more packages to be rebuilt when using ratt than with
Built-Using: ...
Thorsten
