We need to consider the following dak limitations or behaviour for security updates:
- buildd handling is broken for security updates which share the orig.tar.gz in oldstable and stable. Typically we first release the stable version in such cases and follow up with oldstable after the DSA release.
- Initial uploads of packages to security-master need to be built with "-sa" to include the orig.tar.gz. Otherwise the package will be rejected. If a new package is uploaded with "-sa" and it requires another update before release, the "foo-x.y-1" release needs to rejected and the "foo-x.y-2" be reuploaded with "-sa" again. Otherwise there are weird failures when the buildd's fetch source.
- dak mails are only sent to an @security.debian.org alias and not to the uploader (who might be the maintainer).
- DM maintainers cannot upload to security-master, while they can upload to ftp-master.
When it takes a while before packages get uploaded to ftp-master (e.g. when there's some time between upload to security-master and actual DSA release), some of the buildd signing keys may have expired in the meantime and ftp-master rejects the packages. This has to be fixed by manually resigning the .changes file(s) as found on security-master and dputting them with the .debs directly to ftp-master. The old/archived changes files are fond in /srv/security-master.debian.org/queue/done
- The archive breaks if new-security-install is aborted
Packages with udebs end up in NEW, asking ftp-master to simply accept them will install them, which is not usually desired.