We need to consider the following dak limitations or behaviour for security updates:

 * Initial uploads of packages to security-master need to be built with "-sa" to include the orig.tar.gz. If oldstable and stable share the same tarball the build first stable package with -sa, upload to security-master, wait for it beeing accepted into the queue, and build oldstable without -sa and upload to security master.

 * dak mails are only sent to an @security.debian.org alias and not to the uploader (who might be the maintainer). DebianBug:796784

 * DM maintainers cannot upload to security-master, while they can upload to ftp-master. DebianBug:796095

 * When it takes a while before packages get uploaded to ftp-master (e.g. when there's some time between upload to security-master and actual DSA release), some of the buildd signing keys may have expired in the meantime and ftp-master rejects the packages. This has to be fixed by manually resigning the .changes file(s) as found on security-master and dputting them with the .debs directly to ftp-master. The old/archived changes files are fond in {{{/srv/security-master.debian.org/queue/done}}}

 * The archive breaks if new-security-install is aborted

 * Packages with udebs end up in NEW, asking ftp-master to simply accept them will ''install'' them, which is not usually desired.