Hi I do not think an upload without a DLA is a big concern. We have had quite a few of these when we needed to backport certain components in order to build some package. I think it was firefox but I could remember wrong. To my knowledge no one complained then.
You do however raise a valid concern about uploading multiple packages and that they may pick up wrong library. I think the solution to this is to make sure to add a versioned dependency on the package that is supposed to be re-built. Best regards // Ola On Wed, 19 May 2021 at 12:43, Brian May <b...@debian.org> wrote: > Ola Lundqvist <o...@inguza.com> writes: > > > In this case I think we should issue one DLA and tell all the packages > that > > have been updated at the same time. This require some rephrasing compared > > to a standard DLA but I do not think we should have a lot of them. > > > > This considering that we have fixed all the packages that require > re-build. > > > > I think it will be difficult to syncronize the fix of several > > vulnerabilities. This could be done in some specific cases, but > generally I > > think we should accept that we have multiple uploads. > > I think the problem here, like you say, generally the fix to the library > needs to be done first and uploaded first, before the dependency > packages. > > During which time, people might complain that there was a package > uploaded without a DLA. Which is fair enough. > > The big problem with trying to upload multiple packages at the same time > is that the autobuilders could pick up the old library on some > architectures (i.e. the library hasn't been built on that platform yet). > Really need to make sure that the library has been uploaded and built on > all platforms before you upload the dependencies. > -- > Brian May <b...@debian.org> > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
