We need to consider the following dak limitations or behaviour for security updates:
- Initial uploads of packages to security-master need to be built with "-sa" to include the orig.tar.gz. If oldstable and stable share the same tarball the build first stable package with -sa, upload to security-master, wait for it beeing accepted into the queue, and build oldstable without -sa and upload to security master.
dak mails are only sent to an @security.debian.org alias and not to the uploader (who might be the maintainer). 796784
DM maintainers cannot upload to security-master, while they can upload to ftp-master. 796095
When it takes a while before packages get uploaded to ftp-master (e.g. when there's some time between upload to security-master and actual DSA release), some of the buildd signing keys may have expired in the meantime and ftp-master rejects the packages. This has to be fixed by manually resigning the .changes file(s) as found on security-master and dputting them with the .debs directly to ftp-master. The old/archived changes files are fond in /srv/security-master.debian.org/queue/done
- The archive breaks if new-security-install is aborted
Packages with udebs end up in NEW, asking ftp-master to simply accept them will install them, which is not usually desired.