On 06/02/2019 23:47, Antoine Beaupré wrote: > On 2019-02-06 23:42:12, Chris Lamb wrote: >> Hi Antoine, >> >>> all golang Debian packages are (as elsewhere) statically compiled >>> and linked so we'd need to rebuild all the rdeps >> >> Hm. Can we avoid /all/ the rdeps? I mean, grep the rdeps for ones >> that use this library? > > Yeah, that's what I was implying, sorry if that was unclear... I'm not > actually sure how that works. I assume it's a bunch of binNMUs,
Note that due to the fact the security archive is a separate dak instance, it doesn't contain all the sources from the main archive, only those that were specifically uploaded to -security. Meaning: we can't binNMU packages that are not in the security archive, they will need sourceful uploads instead (unless an ftp-master uses some magic to copy packages to -security, I know there are plans to make -security synced with the main archive but it hasn't happened yet). See how Markus handled the agg (header-only lib) security update by following up with no change uploads of the two rdeps. > but we > first need to figure out which packages actually use that specific lib. The golang maintainers use the Built-Using field to keep track of what is using what and what packages need to be rebuilt (e.g. when golang-defaults is updated). But that may not be good enough in this case if only a part of golang is affected. Better ask the golang or the security team to see how they handled it. Cheers, Emilio
